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1 INTRODUCTION 


This edition of the OneOS Book corresponds to the V4.3R4E21 and V5.1R3E1 software releases. It is also 
available for all previous software releases of OneOS according to the features matrix described hereafter. 


The OneOS software developed for use with the ONE product range offers an extensive range of features 
designed to provide a complete & highly powerful range of multi-service access routers: 


e = Full IP router with NAPT, Security, and Quality of Service management 

e Support of voice for analog and ISDN SO/TO terminals using Voice over IP and Voice over ATM 
e —_Interworking of data protocols (FR, X.25, PAD, XOT, X.31) 

e Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP 


This document is the OneOS user guide for Advanced IP functions of the OneOS-based range products. 
Seven other user guides and two global indexes are available: 

o OneOS — Admin User Guide 

o OneOS - Bridging & LAN User Guide 

o OneOS - Basic IP User Guide 

o OneOS — WAN User Guide 

o OneOS —- VoIP User Guide 

o OneOS —- VoATM & CES User Guide 

o OneOS — IBC User Guide 

o Index of OneOS User Guides (global table of contents) 

o _Index of CLI of OneOS User Guides (global list of CLI commands) 
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FEATURE MATRIX 


The following table is a resource providing edition by edition the released features. The table was done as 
of the V3.5R2E3 software release. For simplification, the indicated software release shows the presence of 
a feature in a given software release starting with V3.5R2E3. It should be noted that most features were 
available in earlier versions. 







































































Main Function | Feature Present at least in: 
IPv6 Functions | Routing on VLSM and CIDR V3.5R2E3 
IP fast forwarding and route caching V3.5R2E3 
Support of multiple IP addresses per interface V3.5R2E3 
Setting up of secondary IP addresses V3.5R2E3 
Unnumbered interfaces V3.5R2E3 
Loopback interfaces, Null interface V3.5R2E3 
Static routing, setting of route administrative distance (static V3.5R2E3 
floating routes) 
Equal cost multi-path routing (flow-based load sharing per V3.5R2E3 
destination) 
Equal cost multi-path routing (flow-based load sharing per V4.2R5E6 
packet) 
Support of DNS, domain name and hostname V3.5R2E3 
ICMP redirect V3.5R2E3 
Sending ICMP unreachables V3.5R2E3 
Static ARP entries V3.5R2E3 
TCP MSS (Maximum Segment Size) Clamping on any V3.5R2E3 
interface 
Support of IP helper addresses V3.5R2E3 
Support of IP directed broadcast V3.5R2E3 
Access lists on directed broadcast V4.3R2E2 
Support of Ethernet jumbo frames (up to 1606 bytes) on V4.2R5E15 
ONE20D, ONE80XM, ONE100D/M (on Ethernet 1/0 and 
ATM interfaces) 
Virtual Routing and Forwarding (VRF) V4.3R2E2 
GRE keep alive V3.5R2E3 
IP Security Software encryption algorithm: AES, DES, 3DES V3.5R2E3 
(IPsec) Software authentication algorithm: SHA, MD5 V3.5R2E3 
Hardware encryption algorithm (ONE60 only, on compatible V3.5R2E3 
hardware): DES, 3DES 
Hardware authentication algorithm (ONE60 only, on V3.5R2E3 
compatible hardware): SHA 
Perfect forward secrecy (PFS) V3.5R2E3 
Manual IPsec crypto map V3.5R2E3 
Internet Key Exchange (IKE) V3.5R2E3 
IKE with X.509 certificates V4.2R5E6 
Compression (IP comp algorithm) V3.5R2E3 
Configuration of SA lifetime V3.5R2E3 
Dynamic crypto maps V3.5R2E3 
Applying a crypto map directly on an output interface V3.5R2E3 
Applying a crypto map on a GRE tunnel V3.5R2E3 


















































Advanced IP User Guide 


Page 1.1-4 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 
























































































































































Main Function | Feature Present at least in: 
Tunnel keep alive V3.5R2E3 
NAT traversal V3.5R3E1 
Easy VPN client: Xauth IKE authentication V3.7R13E6 
Easy VPN server V5.1R3E1 
VRF aware IPsec V5.1R3E1 
IPv6 Access _ | Standard ACL V3.5R2E3 
Control List | Extended ACL V3.5R2E3 
(ef) Reflexive filters (diode-effect rule) V3.5R2E3 
Context-Based Access Control (or Stateful Inspection) V3.5R2E3 
Reverse Path Forwarding Check (RPF) V3.5R2E3 
Configuration of ICMP unreachables V3.5R2E3 
Monitoring of fragments V3.5R2E3 
Rule-based logging V3.5R2E3 
Session auditing V3.5R2E3 
Rule sequencing and re-sequencing V3.5R2E3 
Limiting on half-open and open sessions V3.5R2E3 
Per-source-host session limiting and half-open session V3.5R2E3 
limiting, thresholds are configurable globally and per host 
Routing Support of V1 and V2 on any interfaces V3.5R2E3 
Information —_| Configuration of RIP version on a per-interface basis V3.5R2E3 
Protocol (RIP) ea 
Authentication support V3.5R2E3 
Redistribution of static, connected, OSPF and BGP routes V3.5R2E3 
Filtering redistributed routes based on route maps V3.5R2E3 
Route map feature: match using ACL and prefix-list, V3.5R2E3 
match/set tag, set metric 
Distribute-list (in/out) using standard ACL V3.5R2E3 
Configuration of administrative distance V3.5R2E3 
Disabling update source IP address validation V4.3R4E12 
Border Gateway | Network advertisement with a route-map directly applied V3.5R2E3 
Protocol (BGP) | onto the advertised network 
Support both eBGP and iBGP V3.5R2E3 
TCP MD5 authentication V3.5R2E3 
Neighbor configuration within peer-groups V3.5R2E3 
Support of non-directly connected eBGP neighbors (eBGP V3.5R2E3 
multi-hop) 
Community support and update filtering with community list V3.5R2E3 
Send default route on a per neighbor basis V3.5R2E3 
Limitation of the maximum learnt prefix number from a V3.5R2E3 
neighbor 
Allow routes with two or more times the same AS in its AS V3.5R2E3 
path (allowas-in) 
Overwrite next hop by router’s address (next-hop-self) V3.5R2E3 
Route-map based filtering by neighbors V3.5R2E3 
Soft connection reset V3.5R2E3 
Support of multi-path routes (load sharing) V3.5R2E3 
Redistribution of static, connected, OSPF and RIP routes V3.5R2E3 
Filtering redistributed routes based on route maps V3.5R2E3 
Route map feature: match using ACL and prefix-list, V3.5R2E3 
match/set tag, match/set community, match AS path, set 
metric 
BGP confederation V3.5R2E3 
Weight attribute V3.5R2E3 
Distribute-list V3.5R2E3 
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Main Function | Feature Present at least in: 
Route summarization (or aggregation) V3.5R2E3 
Route reflector V3.5R2E3 
Dampening of flapping routes V3.5R2E3 
VRF aware BGP V5.1R3E1 
Open Shortest | Stub areas, NSSA, totally stubby area V3.5R2E3 
Path First —_| Virtual links V3.5R2E3 
proteal(OSPr) Authentication V3.5R2E3 
Interface cost tuning V3.5R2E3 
Administrative distance V3.5R2E3 
Route redistribution V3.5R2E3 
Bidirectional BFD for IPV4/IPv6 V5.1R2E2 
Forwarding Hello echo V5.1R2E2 
Detection (BFD) Asynchronous mode V5.1R2E2 
Binding of BFD to static routes V5.1R2E2 
Multicast Routing) IGMP V1/V2/V3 V3.5R2E3 
PIM-SM V2 V3.5R2E3 
Source-specific multicast V3.5R2E3 
RP group list V3.5R2E3 
Bootstrap router support V3.5R2E3 
Static multicast routes V3.5R2E3 
Scope groups by direction V4.2R5E2 
Source interface setting for register address V3.5R2E3 
IGMP access-lists V3.5R2E3 
Switching to source tree V3.5R2E3 
IGMP snooping (RFC 4541) on bridge group with BVI V4.3R4E14 
Zone-based Firewall zones, zone-pairs V5.1R3E1 
Firewall Firewall policies, Firewall filters V5.1R3E1 
FTP, TFTP, SIP and H.323 ALGs V5.1R3E1 
Firewall logging and statistics V5.1R3E1 
VRF aware Zone-based Firewall V5.1R3E1 
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2 INTERNET PROTOCOL VERSION 6 (IPV6) 
OneOS implementation is intended to fulfill all requirements of the “IPv6-ready silver logo” 
(http:/Awww.ipv6ready.org/) and partially “IPv6-ready gold”. IPv6 is introduced in OneOS to make it a dual- 
stack IPv4-IPv6 router. “Dual-stack” means that router interfaces can be configured with IPv4 and IPv6 
addresses and are able to transmit and receive IPv6 and IPv4 packets. 

2.1 INTRODUCTION TO ONEOS IPV6 FEATURES 

2.1. IPv6 Address Writing Rules 

2.1.1.1 IPv6 Addresses 


IPv6 address format is specified in RFC 2373; IPv6 addresses are written as a series of 16-bit 
hexadecimal fields separated by colons. For example: 


e = «2001:0DB8:7654:3210:FEDC:BA98:7654:3210 
e 2001:0DB8:0:0:8:800:200C:417A 


Writing IPv6 addresses can be cumbersome. Fortunately, IPv6 addresses often contain many zeroes, 
which enable to simplify the writing of IPv6 addresses in a more compact form. Two colons (::) designate a 
portion of the IPv6 address, which is filled with zeroes. There can be only one (::) in the IPv6 address, 
which can be at the beginning, middle or end of the address. 




















Normal Format Compressed Format 

2001 :0:0:0:0DB8:800:200C:417A 2001 ::0DB8:800:200C:417A 
FF01:0:0:0:0:0:0:101 FFO1::101 

0:0:0:0:0:0:0:1 sy 

0:0:0:0:0:0:0:0 








The hexadecimal writing of IPv6 addresses is not case-sensitive in OneOS CLI. 


2.1.1.2 —IPv6 Prefix 


An |IPv6 address prefix is a block of contiguous addresses sharing a common bit-wise prefix. The IPv6 
prefixes are documented following recommendation of RFC 2373. The IPvé6 prefix is composed of an IPv6 
address prefix (encoded in the same format as an IPv6 address) and a prefix length. 


The prefix length is a decimal value that indicates how many of the high-order contiguous bits of the 
address comprise the prefix (the network portion of the address). For example, 2001:0DB8:8086:6502::/32 
is a valid IPv6 prefix. The range value for this prefix is <0 to 128> with 0 and 128 included. 
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2.1.1.3.  IPv6 URL 


An HTTP URL is written as follows in IPv4: http://1.2.3.4:8080. This URL form cannot be used as is with 
IPv6 as the colon is used as a separator to provide the port number. The RFC 2732 specifies how to write 
IPv6-compatible URL by using brackets. RFC examples: 


e — http://[FEDC:BA98:7654:321 0:FEDC:BA98:7654:321 0]:80/index.htm! 
e — http://[1080:0:0:0:8:800:200C:41 7A]/index.html 

e = http://[3ffe:2a00:100:7031::1] 

e —http://[1080::8:800:200C:417A]/foo 

e — http://[::192.9.5.5]/ipng 

e — http://[:: FFFF:129.144.52.38]:80/index.html 

e —http://[2010:836B:41 79::836B:41 79] 


2.1.2 Features 


The IPv6 stack implements Internet Control Message Protocol (ICMPv6), MLD, Transmission Control 
Protocol (TCP), User Datagram Protocol (UDP), as well as a number of advanced features including 
Access Control Lists (ACL). 


2.1.2.1. IP Fast Forwarding 


To achieve high forwarding performance, IP fast-forwarding has been implemented to create a fast routing 
of packets once the path to a specific destination has been for the most common IP packets except those, 
which require fragmentation or with specific options. It makes use of a route cache to accelerate routing 
table lookup and contains many other techniques to optimize fast forwarding processing. As a result, the 
overall forwarding performance is considerably improved. 


2.1.2.2 Multiple Addresses per Interface 


Multiple addresses can be assigned to one network interface such that multiple logical networks can be 
supported on a single physical network. 


2.1.2.3 Virtual Interfaces 


Virtual network interfaces are software interfaces that do not require a physical interface to run. Currently, 
virtual network interfaces include Loopback and Null interfaces. A Loopback interface loops all output 
packets back to IP. It can be used to virtually hold an IP address (not assigned to a physical port). The Null 
interface (much like the UNIX /dev/null device) discards all output packets and can be used to easily make 
routes unreachable. 


2.1.2.4 Static Routing 


At present, only static routing is supported without administrative distance. 


The case where several static routes have the same IPv6 prefix but different destinations (or 
gateway/interfaces) is not supported at present. (See ECMP in IPv4 chapter). 


2.1.2.5 | Dynamic Routing, Virtual Routing and Forwarding (VRF) 
At present dynamic routing protocols and VRF are not supported along with IPv6 protocols. 
2.1.2.6 IP Packet Processing Path 


The processing path is the same as that for IPv4 (see diagram in "IP Packet Processing Path" section of 
"|Pv4 Features" chapter of "OneOS — Basic IP User Guide" document). But at present, NAT is not 
supported with IPv6. 
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2.2 IPV6 CONFIGURATION COMMANDS 


The parameter values given in the configuration commands are all informal. - Users should replace them 
with the appropriate values. 


2.2.1 Advanced IPv6 License 


Certain IPv6-related features are only available when the ‘advanced-ipv6’ software license is activated. 
The related commands are rejected if the license is not activated on the router. License activation is 
possible if the product has sufficiently hardware resources and is pre-loaded with the rights to use the 
license. 


CLI (configure)> license activate advanced—-ipv6 


You are only allowed to use the features covered by this 
license, if OneAccess has granted permissions to you or your 
company. The features covered by the license are: 

-— Several remote managements protocols over IPv6 such as FTP, 
TFTP, HTTP client, SNMP, TACACS+, SSH 

- Dynamic routing protocols (such as BFD, BGP) 

- IP QOS for IPv6 

By using one of the above mentioned features, you acknowledge 
that you got these permissions. 


‘advanced-ipv6’ license successfully enabled. 


CLI (configure) > 
2.2.2 IPv6 Configuration 
2.2.2.1. Static IPv6 Address 


To assign an IP address to an interface, use the following command in interface configuration mode): 
CLI (configure)> interface <type> <unit> 


CLI (config-if)> ipv6 address prefix <ipv6-address>/<prefix-—len> 


The ipv6-address must be written as described in section 2.1.1.1. The prefix-len is a decimal value 
ranging from 0 to 128, which indicates the bit mask length of associated interface prefix. The command 
can be entered multiple times to add several IPv6 addresses on the interface. 


To delete an address, use the no form of the above-referenced command: 


CLI (config-if)> no ipv6 address prefix <ipv6-address>/<prefix-—len> 
2.2.2.2 Stateless Auto-configuration of IPv6 Address 


Stateless auto-configuration is a function enabled by ICMPvé6 that enables an interface to acquire a global 
unicast IPv6 address. Initially, the interface has got a link local address, which is built from fe80::/10 prefix 
and router MAC address. This link local address enables IPv6 communication with host connected on the 
same layer-2 link (Such as PPP link or Ethernet interface). Some ICMPv6 messages are exchanged 
(namely Router Solicitation and Router Advertisements —RA-), such that the interface can acquire its own 
address assigned by the router. 


To enable a router to get its IPv6 address via stateless auto-configuration, use the following command in 
interface configuration mode: 


CLI (config-if)> ipv6 address autoconfig 


To return to the default value (disabled auto-configuration), use the following command: 


CLI (config-if)> no ipv6 address autoconfig 
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2.2.2.3. Configuration of IPv6 Addressing for PPP Interfaces 


The PPP protocol has been extended to support IPv6. The IP Control Protocol (IPCP) is adapted to IPv6 in 
a new flavor called IPV6CP. With IPv6CP, the PPP peers exchange their IPv6 prefixes. If the PPP interface 
of an OneOS-based router is in stateless auto-configuration mode, the PPP interface can get its IP 
address through ICMPvé6. In other words, there are no PPP-specific commands for IPv6: the OneOS- 
based router just needs to be configured with a static IPv6 address/prefix or it must be in stateless 
autoconfiguration. 


2.2.2.4 Enable IPv6 Forwarding 


Warning: the following command is not operational right now. 
To enable/disable IP forwarding, use the following command in global configuration mode: 


CLI (configure)> [no] ipv6 unicast-routing 


Default: enabled. 
2.2.2.5 Static Routes 


To add a static route for any destination, use the following command in global configuration mode: 


CLI (configure)> [no] ipv6 route <ipv6-address-prefix> { <gateway> 
| <type> <unit> } 
[<distance>] 


ipv6-address-prefix is under the form X:X:X:X::X/<0-128> (see 2.1.1.2). gateway is the IPv6 
address of the next hop router. type unit is the interface, when routing on a per-interface basis (such as 
serial 0/0). 


To add a default route through a gateway, use the following command: 


CLI (configure)> ip route ::/0 { <gateway> | <type> <unit> } 
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2.3 


IPV6 DEBUG AND STATISTICS 


To display the content of the IPv6 routing table: 


CLI> show ipv6 route 


To display IPv6 related information of an interface: 


Example: 





Flags: 


Encapsulation: 
Down-time 01:38:55, 
Hardware address is 08:00:51:13:08:05, 


(0x8021) MULTICAST ARP, 
Ethernet v2, MTU 1 
status change 


line protocol is down 
interface index is 101 


500 bytes 
count 0 


CLI> show ipv6 interfaces [<type> <unit>] 


CLI> show ipv6 interfaces fastethernet 0/0 
FastEthernet 0/0 is up, 


ARP timeout 7200 sec 


Line speed unknown 


Mean IP input/output rate 0/0 bits/s, 


Output queuing strategy: fifo, 
Reliability: 255/255 
IN: 0 packets, 0 bytes, 0 queue drops 
0 broadcasts, 0 multicasts, 0 errors, 
0 unknown protocols 
OUT: 0 packets, 0 bytes, 0 queue drops 
0 broadcasts, 0 multicasts, 0 errors, 


To display IP routing and TCP/UDP statistics: 


CLI> show ipv6 traffic 


Example: 


CLI> show ipv6 traffic 


IPv6 statistics: 
IN: 0 total, 

0 too short, 
0 bad option, 


0 bad 


0 dropped by services 
OUT: 0 forwarded, 
0 no route, 


0 dropped by services 


UDPv6 statistics: 


IN: 0 total, 0 no port 
0 buffer-full drops 
OUT: 0 total 


TCPv6 statistics: 


0 local destination 


version, 0 can't forward 


0 bad scope 
0 fragments received, 


0 packets reassembled, 


0 local source 
0 no buffer 
0 packets fragmented, 


0 can't fragment, 


(unicasts), O no port 
, O checksum errors, 


0/0 packets/s 
output queue length/depth 0/126 


0 discards 


1 discards 


(0/0 queue length/drops) 


0 fragments dropped, 


0 fragments created 


(broadcasts) 
0 bad length, 


0 too short 


IN: 0 total 
0 checksum error, 0 bad offset, 0 too short 
0 packets (0 bytes) in sequence 
0 dup packets (0 bytes) 
0 partially dup packets (0 bytes) 
0 out-of-order packets (0 bytes) 
0 packets (0 bytes) with data after window 
0 packets after close 
0 window probe packets, 0 window update packets 
0 dup ack packets, 0 ack packets with unsend data 
0 ack packets (0 bytes) 
OUT: 0 total, O urgent packets 
0 control packets 
0 data packets (0 bytes) 
0 data packets (0 bytes) retransmitted 
0 ack only packets (0 delayed) 





0 window probe packets, 
connections established 


0 window update packets 


(including 0 initiated, 


0 accepted) 


connections closed 


OOo: 2 


keepalive timeout, 


total rxmt timeout, 


(including 0 dropped, 
0 connections dropped 
0 keepalive probe, 
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0 embryonic dropped) 
in rxmt timeout 


IPv6 traffic statistics can be cleared by means of the following command: 


Guide 


(over the last 4 seconds) 


0 timeouts 


0 connections dropped in keepalive 
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CLI> clear ipv6 traffic 


To debug IP packet traffic: 
CLI> [no] debug ipv6 packet {in | out} 


To debug ICMP neighbor discovery: 
CLI> [no] debug ipv6 nd 
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2. 


4 


IPV6 CONFIGURATION EXAMPLE 


configure terminal 

interface FastEthernet 0/0 

ip address 220.24.2.1 255.255.255 
ipv6 address prefix 2200: :0010/64 


.0 


description %%%%%%%%%%%% FastEthernet %%%%%%%% 


no ip unreachables 

exit 

interface FastEthernet 0/1 

ip address 1.1.1.2 255.255.255.0 
ip address 193.168.1.224 255.255. 
exit 

interface FastEthernet 0/2 

ip address 2.2.2.2 255.255.255.0 
ip address 193.168.2.224 255.255. 
ip address 193.253.160.3 255.255. 
exit 

interface FastEthernet 0/3 

ip address 3.3.3.2 255.255.255.0 
ip address 192.168.3.224 255.255. 
exit 

interface FastEthernet 0/4 

ip address 4.4.4.2 255.255.255.0 
ip address 194.169.1.224 255.255. 
exit 

interface Loopback 100 

ipv6 address prefix 6220: :0100/64 
exit 
virtual-template ppp 10 
authentication no 

no password 

magic number not-—negotiable 
reconnection automatic 

execute 

exit 

interface serial 0/0 
physical-layer 

G703-G704-Interface 
clock master 
no ts 1-31 
ts 1-31 
exit 

exit 

profile 10 

execute 

ipv6 address prefix 2100: :0021/64 
exit 

ip route 0.0.0.0 0.0.0.0 serial 0/ 
ipv6 route 6200::/64 Serial 0/0 
exit 
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3 IP SECURITY 





3.1 IPSEC INTRODUCTION 


IP security (IPsec) is a suite of IP protocols that permit IP flows to be encrypted and/or authenticated. For 
example, if you want to transport information securely from one sub-network A to one other sub-network B 
by using a untrusted network (for example, the Internet), [IPsec provides some guarantees about several 
security levels for delivering packets from A to B and vice-versa. Below is represented an example of an 
IPsec application: 















































Sub Network A ‘Sub Network B 


IPsec Tunnel: Encrypted and/or Authenticated 
The packets exchanged between sub-networks A and B are transported in an IPsec tunnel. IPsec is 
actually broken down in two flavors: the tunnel mode and the transport mode. 


e The transport mode is usually applied when the IPsec session is terminated directly in the hosts. 
Indeed, the IP header is not modified, only the payload changes. 


e When using the tunnel mode, a new IP header is added and corresponds to the source and 
destination addresses of the IPsec gateways as shown on the figure above. When no authentication 
and encryption is applied, an IPsec tunnel is quite similar to a GRE tunnel. 


The diagram below illustrates both modes when using an Authentication Header (AH). 
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Transport Mode: IP Header is kept 

















IP Header Payload 





IP Header AH Payload 

















Tunnel Mode: new IP Header 





IP Header Payload 








new IP Header AH IP Header Payload 




















IP security protocols are based on cryptographic algorithms. The keying material between two hosts 
provides several properties: 


e Integrity of the packet: if modified, the packet is recognized as such and is then dropped. For example, 
a malicious user cannot change the source IP address of the packet so as to speak on behalf of the 
real emitter. 


e Authenticity: it is guaranteed that the packet comes from the host X, because the packet has not been 
altered and the encryption could only be performed by means of a secret keying material. 


e Confidentiality: the packet can be fully encrypted; therefore it cannot be read by any third party that 
has no prior knowledge of the keying material. 


e Security: prevents security against certain attacks such as unauthorized insertion of frames. 


There are two types of IPsec encapsulations: 


e The Authentication Header (AH) provides authenticity using one of the two following hashing 
algorithms: HMAC-SHA1, HMAC-MD5 (RFC 2104). Refer to diagram above for AH packet structure. 


e The Encapsulation Security Payload (ESP) provides encryption and optional authentication using the 
following protocols algorithm: for encryption NULL (no encryption) or DES (64 bits) or 3DES (92 bits) 
or AES (128, 192 or 256 bits) and for authentication HMAC-SHA1 (80 bits) or HMAC-MD5 (64 bits) or 
no authentication. 


An ESP packet has the following structure: 


Tunnel Mode: new IP Header, full IP packet encryption 






































IP Header Payload 
ESP ESP 
new IP Header | ESP Header IP Header Payload trailer auth: 
« Encrypted ™ 
< Authenticated 





Optional compression is provided when using authentication and/or encryption. The compression is 
applied on outbound packets (IP header + payload), and then it is authenticated and/or encrypted. The 
resulting compressed data require less CPU for encryption. Furthermore, it limits the overhead due to the 
encapsulation (20 bytes for IPV4 packet) plus IPsec overhead (12 bytes for AH, variable-size for ESP 
packet with padding). 


The encapsulation type of an IP packet in one of the IPsec modes is called a "transform set". 
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To enable peer IPsec gateways to understand each other, both instances of the IPsec protocol contain a 
Security Protocol Index (SPI), that is added to the protocol type (AH or ESP) and the IP destination. 
SPI and source address uniquely identify a Security Association (SA). 


As a tunnel is bi-directional, two SAs are required, one for each direction. 


IPsec not only defines how the traffic is secured, but also which traffic should be encrypted. It is managed 
by the Security Policy Database (SPD): it is a table made up of several entries. The SPD is a table whose 
entries provide a set of selectors and associated actions. A selector is a filtering criterion that determines 
the action to apply on a packet. (It can be forwarded, dropped, or processed with specified IPsec SA 
parameters). For example, all inbound traffic passes through a crypto map. If packet is not encrypted and if 
it matches a SPD entry, then the packet is dropped. If the packet is not encrypted and does not match an 
SPD entry, it is forwarded. 


IPsec protocols are highly robust but this robustness is as good as the secrecy of the keying material. 
Obviously, a poor management of the keying material weakens many robust cryptographic techniques. 
Among solutions to increase robustness of the security associations: 


e Decrease the lifetime of a security association to renew the keys quite often. Since the keys are 
refreshed, the hacker has to compute and break keys much more often. Therefore, it makes it harder 
for a pirate to make eavesdropping. For example, 1200 seconds is reasonable for a simple DES 
transform. 


e Using a strong keying material. Indeed, some key generators are weak and keys are thus easier to 
break. 


e Using advanced transforms. For example, 3DES is stronger than DES, because key length is three 
times longer than the DES transform. AES is also stronger than 3DES; this is due to the encryption 
method. 


e Using proprietary transforms. Unlike DES family or AES, some transforms are not known from the 
public. Hence it is harder to break keys without prior knowledge of the technique used. 


3.1.1 Internet Security Association and Key Management Protocol (ISAKMP) 


As the renewal of keys must be synchronized at both end points of the IPsec tunnel, a framework called 
ISAKMP (Internet Security Association and Key Management Protocol) is implemented. ISAKMP provides 
the following services: 


e Internet Key Exchange (IKE): IKE permits to negotiate dynamically IPsec SA between two IPsec 
peers. Before negotiating the SA, a secure data channel must be established between the peers. 
Once this secure channel is established, the peers can negotiate faster and more efficiently the setup 
of IPsec SA, as the exchanged information is already secured. Therefore, this channel is a 
management channel. The channel is called an ISAKMP Security Association (SA) (-which can be 
rather confusing-); however, this special SA should not be mixed up with the conventional IPsec SA. 


This part is also referred to as IKE phase 1. During this phase, the authentication data permits the 
validation and completion of the IKE SA establishment. The keys for IKE SA authentication are 
actually retrieved through an external mechanism, independent of the IKE protocol (see further "Pre- 
shared keys and Digital certificates"). 


During IKE phase 1, the peers exchange: 
o ISAKMP SA parameter offer 
o Keying material 
o Identification and authentication data 


o Negotiation of security attributes: ISAKMP sends to the remote peer which traffic should be 
selected, and how it should be encrypted. 


e IPsec SA Negotiation: This part is also called IKE phase 2. As an IKE SA was created in phase 1, a 
secure communication path exists between the two IPsec peers. This second phase enables the 
creation of IPsec SA, which creates a secure communication tunnel for user traffic. 


IKE will create the SA by exchanging the SA parameters stored in the Security Policy Database (SPD) 
and generate the keys. The keys are automatically generated by IKE for each SA using Oakley key 
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determination protocol (RFC 2412). Here, the user can select the aggressive mode (1.5 round trips 
taking less time to establish) or the main mode (3 round trips more robust towards attacks). 


As the encryption keys are relatively short (56 bits for DES), it takes not too long for a computer to 
"crack" a key. Therefore, the keys need to be refreshed quite often. The Oakley quick mode is used 
for key refresh and the refresh timer can be adjusted (short key refreshed quite often — less 
computation — or longer/more robust key refreshed after longer intervals). 


Once the IPsec SA is created, it is registered in the Security Association Database. The IPsec SA 
exists as long as there is user traffic for that SA. If no user traffic transits through that SA during a 
configured inactivity period, it is destroyed. 


Pre-shared keys and Digital certificates 


Pre-shared keys are the simplest way to authenticate during IKE phase 1. In this method both the initiator 
and responder must have the same pre-shared keys. The keys are agreed upon in advance using an out- 
of-band technique. One disadvantage of this method is that the distribution of the secret to the peers must 
occur in a secured way or is based on trust. Another disadvantage is that in IKE main mode, because the 
ID payloads are encrypted, the responder is not aware of the identity of the initiator. In remote access 
scenarios such as telecommuting, the source IP address of the initiator is not known in advance to the 
responder. In such cases, aggressive mode is the only choice with pre-shared key authentication. 


As of V4.2R5E6 software release, digital certificates are supported as an alternative method to 
authenticate peers. Each peer has a private key and corresponding public key. The private key is used for 
encryption purposes of the information to send. The public key is put in a certificate along with the peer’s 
ID. The certificate is signed (digital signature) by a Certificate Authority (CA). Each peer sends during the 
IKE phase 1 its certificate to the other peer. On reception of the certificate each peer first authenticates the 
certificate by re-calculating its digital signature using the CA public key which is in the root certificate. If a 
digital signature match is found, the router can trust its peer, based on its trust in the Certificate Authority. 
Next the hash values exchanged during the IKE phase 1 are signed by the private keys of each peer. The 
recipients of the signature will use the signer’s public key to decrypt and verify the message. 


The set-up of an IP VPN network with digital certificates is based on a public key infrastructure. Each 
router needs a private and public key pair and a corresponding digital certificate. The digital certificate 
(self-certificate) is stored on the router, typically on the file system. To generate the certificate, the contents 
are prepared and sent to the CA in a pre-defined format. The most widely used format for digital 
certificates is X.509, which is supported by OneOS. The CA signs it (i.e. add a digital signature of the 
certificate contents using the CA private key) and returns the signed certificate to the requester, who then 
stores it on the router. The Certificate Authority can be a company specialized in delivering this service 
(e.g. VeriSign). Alternatively, the organization that owns the routers can set-up its own Certificate 
Authority. The latter is worth considering if it concerns a large network with many routers and according 
certificates. 


Each OneOS-based router may have a single certificate for |Psec VPN. In addition the router must also 
store the CA root certificate for authenticating the peer’s certificate. Note that each certificate has also a 
validity period, which is checked. The validity period of a certificate is typically 20 years. 


As of V4.3R3E2 software release, a trust-point encapsulates the certificate revocation check rules, used by 
an ISAKMP profile. It is used to verify the validity of the certificate used to set up a secure connection. 
When an ISAKMP profile is configured to use a trust-point (referenced via its name string), during the 
setup of an SA, it will use the revocation-checks configured for that trust-point. 


IKE keepalive and Dead Peer Detection 


IP reachable IPsec peers is required for an IPsec session to be established between them. IPsec and IKE 
have by default no way to identify the loss of peer connectivity. Therefore OneOS provides the 
configuration of an IKE periodic keepalive mechanism. The keepalive interval and maximum number of 
retries are configurable. 


Dead Peer Detection (DPD — RFC 3706) is an alternative mechanism that is more scalable than IKE 
keepalive in detecting dead IPsec peers. DPD does not send any messages between the peers whenever 
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there is IPsec traffic running. If an IPSec peer needs to send itself traffic and it did not receive any traffic 
from its peer for a certain time, it sends a DPD exchange to check connectivity. This mechanism saves 
more resources on the router than the keepalive mechanism. 


IPsec encapsulated GRE and L2TP tunnels 


Designing a VPN using IPsec for connectivity between peers has some inherent limitations. These are: 


IPsec can encrypt/decrypt only IP traffic. 


IP traffic destined to a multicast or broadcast IP address cannot be handled by IPsec, which means 
they cannot traverse the IPsec tunnel. Broadcast and multicast packets are typically used by routing 
protocols. 


IPsec encapsulated GRE or IPsec encapsulated L2TP tunnels (RFC 3193) provide a solution. Like native 
IPsec, they can be set-up in transport and tunnel mode. Unlike native IPsec tunnels, IPsec encapsulated 
GRE and L2TP tunnels are almost always used in IPsec transport mode as GRE or L2TP provide already 
a new IP header on the payload. This is the supported mode in OneOS. The drawings below show 
respectively a packet for GRE over IPsec and L2TP over IPsec. 


NAT Traversal (RFC 3947) 


Because of the integrity check performed by IPsec, IPsec packets must be modified by no means. If a 
Network Address Translator (NAT) is found along the IPsec packet path, the packets are no more valid. To 
allow IPsec packets to go through NAT, the NAT-Traversal (NAT-T) feature is needed. NAT-T is by default 
active. NAT-T consists of two functions: 


NAT discovery: during the IKE peering session establishment, the endpoints try to determine whether 
their remote peer support NAT-T. The NAT will be detected by comparing hashes of the sent NAT 
discovery payloads. If NAT is detected, NAT-Traversal must be enabled 


NAT-transparent encapsulation: once the NAT is discovered and that the peers agreed to use NAT-T, 
the IPsec packets are not directly encapsulated in an IP tunnel packet but rather within an UDP 
packet. Such encapsulation enables to pass several tunnels using a single public IP address. 


IPsec Processing Path 


IPsec is applied (if enabled) at the following stages of the IP processing path: 


e Outbound: after NAT processing, i.e. the source IP address of tunneled packets is the IP address of 
the output interface 


e Inbound: before NAT processing. 


As a result: if you enabled NAT overload on an interface where a crypto map is enabled, IPsec may 
not function properly. The reason is: when a packet is routed to the interface, it is first NAT-ted. Then the 
packet passes through the IPsec policy. Because the packet was NAT-ted, it may not match the IPsec 
policy any more. Two solutions are possible: the first solution is to configure NAT overload for packets not 
matching the IPsec policy (selective NAT overload: packets are filtered through an ACL. If they match, 
then packets are NAT-ted). The second solution is to detach the crypto map from the interface and to 
configure a tunnel interface. The second solution requires that the IPsec peer supports NAT-Traversal. 


IP QoS and IPsec 


To allow appropriate output QoS processing, the payload packet TOS byte is copied in the tunnel header. 
This copy enables the TOS marking at the input of the router and the output traffic can be classified based 
on the TOS/DSCP/precedence fields. 
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3.2 IPSEC CONFIGURATION 


3.2.1 Configuration Steps 


The configuration steps are the following: 


1) Define an IPsec transform set(s): transform sets are templates where you define a type of packet 
processing for encryption and authentication. The transform set is applied later on one or more interfaces. 


2) Choose how the IPsec SA (Crypto Maps) are managed: 
e Using manual crypto maps. 
e Using standard ISAKMP crypto maps. If you have selected ISAKMP, you must also configure IKE. 


e Using dynamic ISAKMP crypto maps. Standard ISAKMP SAs are (nevertheless) established 
dynamically when a packet must be sent by one of the tunnel peers; that peer being the initiator of the 
ISAKMP communication. However, there are some cases where the remote peer does not have a 
predefined IP address (for example, nomad users). Dynamic ISAKMP crypto maps solve this issue: a 
server responds to ISAKMP clients. Only the target IP address of received packets is checked. 


e Using Easy VPN crypto maps. 


3.2.2 IPsec Transforms 


An |Psec Transform defines how an IP packet should be secured; it defines the IPsec encapsulation used: 
AH and ESP. It contains information on the algorithm(s) used within the transform. 


To create an IPsec transform named name and enter in IPsec transform configuration mode, use the 
following command in global configuration mode: 


CLI (configure)> crypto ipsec transform-set <name> 
CLI (crypto-trans) > 


To remove an IPsec transform, use the no form of the above command: 





CLI (configure)> no crypto ipsec transform-set <name> 


To configure AH encapsulation, use the following command in transform configuration mode. 
AH encapsulation supports HMAC-SHA1 and HMAC-MD5 algorithms. Use comp-deflate optional 
parameter to activate the IP compression using the "deflate" algorithm (RFC 1951). 


CLI (crypto-trans)> ah-sha-hmac [comp-deflate] 
CLI (crypto-trans)> ah-md5-hmac [comp-deflate] 





To configure ESP encapsulation, use the following command in transform configuration mode. 
ESP encapsulation supports the NULL, DES, 3DES, AES-192 and AES-256 algorithms for encryption. 
HMAC-SHA1 and HMAC-MD5 authentication algorithms are optional. 


Note: If you use ESP, it is strongly advised to use AES with a 256-bit key, as long keys have almost no 
impact on performance and guarantees a higher level of security. 


CLI (crypto-trans)> esp-des [esp-sha—-hmac | esp-md5-hmac] [comp-deflate] 
CLI (crypto-trans)> esp-3des [esp-sha—-hmac | esp-md5-hmac] [comp-deflate] 
CLI (crypto-trans)> esp-aes [esp-sha—-hmac | esp-md5-hmac] [comp-—deflate] 
CLI (crypto-trans)> esp-aes-192 [esp-sha-hmac | esp-md5-hmac] [comp-—deflate] 
CLI (crypto-trans)> esp-aes—256 [esp-sha-hmac | esp-md5-hmac] [comp—deflate] 


NULL encryption is supported but authentication is then compulsory. 











CLI (crypto-trans)> esp-null { esp-sha-hmac | esp-md5-hmac} [comp-—deflate] 
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To change the mode associated with the transform set, enter the following command: 


CLI (crypto-trans)> mode { transport | tunnel } 


e transport: Transport mode adds an IPsec header to the packet. 


e tunnel: (default) Tunnel mode adds a new IP header and an IPsec header to the packet. 


3.2.3 Crypto Map 


A crypto map is a set of IPsec properties applied to an interface. It corresponds to the Security Policy 
Database configuration. A crypto map has several entries, each one standing for a security policy entry 
and associates the IP traffic to secure, the transform used and the remote tunnel end-point. 


There are two types of crypto maps entries: manual and ISAKMP. Manual crypto map entries require to 
implicitly configuring the keying material, while ISAKMP crypto map entries need less information, provided 
that IKE is configured (see 3.2.5). 


3.2.3.1. |Manual Crypto Map Entries 


To configure a manual crypto map entry named name, and enter in crypto map configuration mode, use 
the following commana: 


CLI (configure)> crypto map ipsec-manual <name> <sequence-number> 
CLI (crypto-manual) > 





sequence-number indicates the order/priority in which a packet is matched with selectors. 
To remove a manual crypto map entry, use the following command: 


CLI (configure)> no crypto map <name> 


To define the selector (IP filter that needs to be processed using IPsec), attach an access-list to it. Use the 
following command in crypto map configuration mode: 


CLI (crypto-manual)> match address <acl-name> 
To remove the access-list and make all packets being authenticated/encrypted, use the no form of the 
command: 


CLI (crypto-manual)> no match address 


To configure the remote tunnel end-point, use the following command in crypto map configuration mode: 
CLI (crypto-manual)> set peer { <A.B.C.D> | <hostname> } 

A.B.C.D or hostname designates the address of the remote IPsec endpoint. To remove tunnel endpoint 

and deactivate crypto map entry, use the no form of the command: 


CLI (crypto-manual)> no set peer { <A.B.C.D> | <hostname> } 


Only one transform set can be applied per manual crypto map entry. To apply the selected IPsec transform 
to the crypto map entry, use the following command in crypto map configuration mode: 


CLI (crypto-manual)> set transform-set <name> 


To detach the IPsec transform from the crypto map entry, use the no form of the command: 


CLI (crypto-manual)> no set transform-set 
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Configuring keying material manually is permitted on manual entries. Primary, it is compulsory to set two 
security parameter indexes (SPI), one for each direction. Secondly, keying material must be provided 
according to the chosen transforms. 


AH transform: HMAC-SHA1 requires a 20-byte key length, whereas HMAC-MD5 requires a key length of 
only 16-bytes. 


To configure AH keying material, use the following commands in crypto map configuration mode: 


CLI (crypto-manual)> set security-association inbound ah <spi> 
{ <HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B> } 











CLI (crypto-manual)> set security-association outbound ah <spi> 
{ <HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B> } 























ESP transform: DES requires an 8-byte key length, AES-128 requires a 16-byte key length, 3DES and 
AES-192 require a 24-byte key length and AES-256 requires a 32-byte key length. HMAC-SHA1 requires a 
20-byte key length, whereas HMAC-MD5 requires a key length of only 16-bytes. 


To configure ESP keying material, especially encryption keys, use the following commands in crypto map 
configuration mode. The first argument is the key for encryption and the second one for authentication. 
When the encryption is NULL, the authentication key must be provided. 


CLI (crypto-manual)> set security-association inbound esp <spi> 
{<HEX-KEY-STRING-8B> | <HEX-KEY-STRING-16B> | <HEX-KEY-STRING-24B> | 
<HEX-KEY-STRING-32B>} [<HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B>] 
























































CLI (crypto-manual)> set security-association outbound esp <spi> 
{<HEX-KEY-STRING-8B> | <HEX-KEY-STRING-16B> | <HEX-KEY-STRING-24B> | 
<HEX-KEY-STRING-32B>} [<HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B>] 




































































If IPsec transform requires compression, two compression parameter indexes must be configured, thanks 
to the following command line: 


CLI (crypto-manual)> set security-association outbound ipcomp <cpi> 
CLI (crypto-manual)> set security-association inbound ipcomp <cpi> 


You must provide the compression ID (cpi) with the same values at both ends of the IPsec tunnel (cpi 
range: 0...65535). 


Use the following command line to remove all inbound keying material: 


CLI (crypto-manual)> no set security-association inbound 


Use the following command line to remove all outbound keying material: 





CLI (crypto-manual)> no set security-association outbound 


Then exit the crypto map configuration mode: 


CLI (crypto-manual)> exit 
CLI (configure) > 


3.2.3.2 Standard ISAKMP Crypto Map Entries 


Before you start: 
Standard IPsec ISAKMP crypto maps must be used in the following cases: 
e |Psec clients using IKE, the remote peer is a server using dynamic ISAKMP crypto maps 


e Symmetric mode: when the concept of client/server is not used, both IPsec peers must use such 
standard ISAKMP crypto maps 
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Configuration: 


To configure an ISAKMP crypto map entry named name, and enter in crypto map configuration mode, use 
the following command: 





CLI (configure)> crypto map ipsec-isakmp <name> <sequence-number> 
CLI (crypto-isakmp) > 





sequence-number indicates the order/priority in which a packet is matched with selectors. 
To remove an ISAKMP crypto map entry, use the following command: 


CLI (configure)> no crypto map <name> 


Within a crypto map entry, to select IP traffic, use the following command to attach an access-list to it: 


Only permit rules with true network or host addresses must be used within the access-list that 
must not contain a rule such as permit ip 0.0.0.0 255.255.255.255 ... 


CLI (crypto-isakmp) > match address <acl-name> 


To modify IP selectors for next SA negotiation, or to prevent a future SA negotiation, you can detach 
access-list from the crypto map entry. 


CLI (crypto-isakmp) > no match address 


To configure the tunnel end-point, use the following command: 


CLI (crypto-isakmp)> set peer { <A.B.C.D> | <hostname> } 


To remove tunnel endpoint and deactivate crypto map entry, use the following command: 





CLI (crypto-isakmp)> no set peer { <A.B.C.D> | <hostname> } 


Only one transform set can be applied per ISAKMP crypto map entry. To apply the selected IPsec 
transform to the crypto map entry, use the following command: 


CLI (crypto-isakmp) > set transform-set <name> 


To detach the IPsec transform from the crypto map entry, use the no form of the above command: 





CLI (crypto-isakmp)> no set transform-set 


Other security parameters are negotiated with ISAKMP endpoint. The lifetime of the SA is a parameter and 
can be either expressed in kilobytes and/or in seconds. For example, an IPsec SA will need to be 
refreshed when the total quantity of secured packets reaches 100 megabytes. To configure the SA lifetime, 
use the following commands: 


CLI (crypto-isakmp) > set security-association lifetime seconds <1-131071> 





CLI (crypto-isakmp) > set security-association lifetime kilobytes 
<500-500000000> 


The default value for SA lifetime is configured to 3600 seconds and less than 100 MB. To reset the lifetime 
to default values, use the default command: 


CLI (crypto-isakmp) > default set security-association lifetime { seconds 
| kilobytes } 


The lifetime in kilobytes and the lifetime in seconds can be configured at the same time. Both are taken 
into account (default behavior); the one that triggers first causes the SA pair to be renegotiated. Note that 
IPsec service is not interrupted by renegotiation of SA. In addition to the hard limit configured, a soft limit is 
derived. This soft limit is reached when a high percentage of the hard limit (such as 90%) is reached and 
the SA-refresh then starts to take place. 


Advanced IP User Guide Page 3.2-27 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


To disable a lifetime setting (seconds or kilobytes) to be taken into account for the lifetime of the SA, use 
the following command: 


CLI (crypto-isakmp)> no set security-association lifetime { seconds 
| kilobytes } 


Perfect Forward Secrecy (PFS) is an optional service for exchanging keys. PFS allows the use of keys that 
are not derived from the initial IKE negotiation. Indeed, this initial negotiation makes it easier to hackers to 
extract the pre-shared secret. When renegotiating SA, if PFS is configured, keys are regenerated, and 
exchanged by means of PFS. To configure perfect forward secrecy on a crypto map entry, use the 
following command: 


CLI (crypto-isakmp)> set pfs { groupl | group2 | group5 } 


To remove perfect forward secrecy, use the no form of the above command: 





CLI (crypto-isakmp)> no set pfs 


It is possible to define when the ISAKMP negotiation shall start: 


e leased-line: The IPsec tunnel is automatically connected when the crypto map is configured on an 
interface. Use this when the IPsec SA connection is to be available regardless of user data. 


e dial (default setting): Specifies the manual setting to direct the crypto map to wait for user data 
before attempting to establish the IPsec connection. 


e incoming: The crypto map will wait for an incoming request to establish an IPsec connection. 
(passive mode) 


CLI (crypto-isakmp)> set type { incoming | leased-line | dial } 


To return to the (default) dial type, use the no form of the above command: 


CLI (crypto-isakmp)> no set type 


To apply an ISAKMP profile to the crypto map, use the following command: 


CLI (crypto-isakmp)> set isakmp-profile <isakmp-profile-name> 


To remove the ISAKMP profile from the crypto map, use the no form of the above command: 


CLI (crypto-isakmp)> no set isakmp-profile 


Then exit the crypto map configuration mode: 


CLI (crypto-isakmp)> exit 
CLI (configure) > 


3.2.3.3. Dynamic ISAKMP Crypto Map Entries 


Before you start: 


Dynamic crypto maps must be used on the ISAKMP server (responder side). The clients (ISAKMP 
initiators) must use standard crypto maps entries. Because the server does not know the peer IP address, 
only the source address of outgoing packets (source policy) is checked. The dynamic crypto map 
configuration is achieved in two steps: 


1. Define the dynamic crypto map configuration template 
2. Declare a policy in the Security Policy Database using the template 
The differences between the standard and the server modes are: 


e The peer IP addresses are not known in advance, therefore the peer IP address is not configured 
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e Because the peer IP address is not known, the permit rules of the access list can not filter any 
destination network. The permit rules must have the following form: permit ip <local- 
network> any 


Configuration: 
First, use the next command to enter in dynamic crypto map configuration template mode: 
CLI (configure)> crypto dynamic <template-name> 


CLI (crypto-template) > 


To remove a dynamic crypto map configuration template, use the following command: 





CLI (configure)> no crypto dynamic <template-name> 


Second, in dynamic crypto map configuration template mode, you can enter the same parameters as ina 
standard ISAKMP crypto map (see 3.2.3.2) with the following differences: 


The command set peer is not available. 
The following command is used to activate reverse route injection (RRI) in dynamic crypto map: 
CLI (crypto-template)> reverse-route 
Note that this command is only necessary if the physical interface where the tunnel traffic is received is 


different from the interface of the default route. When RRI is used an "IPsec" route appears in the routing 
table. 


To remove RRI from the dynamic crypto map, use the no form of the command: 


CLI (crypto-template)> no reverse-route 


Then, exit from this mode and return to the global configuration mode to create the dynamic crypto map in 
the policy database: 


CLI (crypto-template)> exit 
CLI (configure) > crypto map dynamic <name> <sequence-number> <template- 
name> 





Where name is the name of the policy map, later used in the configuration to apply it to an interface and 
sequence-number is the index of the crypto map in the policy database. 


To remove a dynamic crypto map entry, use the following command: 





CLI (configure)> no crypto map dynamic <name> <sequence-number> <templat 
name> 


3.2.3.4 Easy VPN Crypto Maps 


Easy VPN simplifies the design of an IPsec network with multiple remote sites to be connected to one 
central site (hub-and-spoke topology). Typically, the remote sites have an extension of the corporate 
private LAN of the company's headquarters (i.e. a private subnet on their LAN side). Both on the central 
site and on the remote sites, the configuration is simplified by applying Easy VPN. The central IPsec 
concentrator learns automatically the private IP networks through Mode Configuration (MODE-CFG) when 
establishing the tunnels, which simplifies configuration of IP routing in IPsec concentrator. The private IP 
networks are reached by the remote IPsec via the tunnel. These private networks are defined as inside 
interfaces. The interface to reach the remote |Psec is defined as outside interface. Authentication with 
IKE Extended Authentication (Xauth) also helps in simplifying management as the authentication 
passwords for IKE establishment are held in a central database. 


OneOS supports Easy VPN in client and server modes. Refer to 3.2.4 for Easy VPN configuration. 


Advanced IP User Guide Page 3.2-29 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


3.2.3.5 


Applying a Crypto Map to an Interface 


Before you start: 
OneOS delivers two alternatives when applying a crypto map to an interface: 


e Physical Interface: the crypto map is directly applied on the output interface. In this mode, the 
packets which have been routed to this output interface are processed by IPsec (encryption, 
encapsulation in case of tunnel mode). In case of IPsec tunnel mode, the packets are routed again 
with the tunnel endpoint IP address. 


e Tunnel Interface: the crypto map is applied on the tunnel interface. Packets are first routed to a 
tunnel interface. Once encapsulated (GRE, IPIP...) and IPsec encrypted, the new packet is routed 
again through the router. 


Note: Up to OneOS version 4.2R3E7, when configuring a GRE over IPsec tunnel one has to apply the 
crypto map to the output (physical) interface. When applying it to the tunnel interface, no GRE 
encapsulation will be done. In the latter case, packets are processed by IPsec and forwarded to the output 
interface. As of OneOS version 4.2R3E8 the crypto map can be applied either on the physical or tunnel 
interface. 


Configuration: 

To apply the IPsec crypto map on an interface, use the following command line in the interface sub-level: 
CLI (config-if)> crypto map <name> 

If crypto map entries are properly configured, this command fills in security associations and associated 


selectors in the IPsec databases. Use the no form of the above-referenced command to remove entries of 
the databases. 


CLI (config-if)> no crypto map 


3.2.3.6 DF bit in tunnel mode 


IP fragmentation may be prevented due to the DF bit in the IP header. To modify the DF bit in the 
encapsulating IP header for a specific interface, use the following command line in interface mode: 


CLI (config-if)> crypto ipsec df-bit { clear | set | copy } 


clear: the DF bit of the outer IP header is cleared. 
set: the DF bit of the outer IP header is set. 


copy: (default) the DF bit is taken from the inner IP header and copied into the outer IP header. 


e This command is not applicable for IPsec tunnels in transport mode. 


e This command is not taken into account when tunnel path-mtu-discovery is enabled. 
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3.2.4 Easy VPN Configuration 
3.2.4.1. Easy VPN Client 


An Easy VPN client group has several Easy VPN client entries, each one standing for a security policy 
entry. This entry associates the IP traffic to be secured and the remote tunnel end-point. A crypto IPsec 
Easy VPN client always uses ISAKMP. One SA connection (i.e. a separate tunnel) is established for each 
inside interface. Please keep in mind the following principles: 


e IKE aggressive mode is used for the exchange of parameters. 
e Only ISAKMP policy group 2 is supported on Easy VPN servers. 


e All inside interfaces, whether they belong to a tunnel, are listed in interface configuration mode as an 
inside interface, along with the tunnel name. 


e There is no default inside interface. 


e Easy VPN supports only one outside interface. If you attempt to assign it to more than one interface, 
an error message is displayed. You must remove the configuration from the first interface before 
assigning it to the second interface. 


3.2.4.1.1 Easy VPN Client Configuration 


To configure a crypto [Psec Easy VPN client entry, and enter in crypto [Psec Easy VPN client configuration 
mode, use the following command in global configuration mode: 


CLI (configure)> [no] crypto ipsec client ezvpn <name> 
CLI (crypto_ezvpn) > 
name identifies the Easy VPN client configuration with a unique and arbitrary name. 
Use the no form of the command to remove the Easy VPN client configuration. 


Note: you cannot use the no form of the command to delete a crypto IPsec Easy VPN client that is 
assigned to an interface. You must remove that crypto IPsec Easy VPN client configuration from the 
interface before you can delete the configuration. 


By defining which inside interfaces belong to the Easy VPN client configuration (see further), all traffic from 
the subnets on these interfaces that are routed to the outside interface are automatically put in the IPsec 
tunnel. To send other outgoing IP traffic on this interface also through the tunnel, you can attach an 
access-list to it. The access list must not contain a rule such aS permit ip any any, the permit rules 
must always have the following form: 


permit ip <local-network> <destination-network> 


Use the following command to attach the ACL: 


CLI (crypto_ezvpn)> match address <acl-name> 


To detach an access-list from the crypto IPsec Easy VPN client entry: 


CLI (crypto_ezvpn)> no match address 


To configure the tunnel end-point, use the following command: 





CLI (crypto_ezvpn)> peer { <A.B.C.D> | <hostname> } 


To remove tunnel endpoint and deactivate crypto IPsec Easy VPN client entry, use the following 
command: 

CLI (crypto_ezvpn)> no peer 
IPsec can either be established automatically when Easy VPN is configured on the interface (auto) or 


only when an IP packet is routed to the interface and that packet matches the IPsec policy (manual — 
default behavior). Use the next command to set the desired behavior: 


CLI (crypto_ezvpn)> connect { auto | manual } 


Advanced IP User Guide Page 3.2-31 of 130 


ONEOS V4.3R4 / V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


Easy VPN requires a group name and pre-shared key to be exchanged. With the group name the server 
side can distinguish between different Easy VPN groups. Note that this group name may be different from 
the name entered when creating the Easy VPN client entry. 


To configure the group name and key (that must match the ones configured on the Easy VPN server): 

CLI (crypto_ezvpn)> [no] group <group-name> key <group-key> 
Within an Easy VPN group, the IPsec clients must be individually authenticated by Xauth (note that only 
PAP authentication is supported with Easy VPN). A username and password must be provided: 

CLI (crypto_ezvpn)> [no] username <user-name> password <user-password> 
Because the client device does not have a user interface option to enable or disable PFS negotiation, the 


server will notify the client device of the central site policy during IKE MODE-CFG. The Diffie-Hellman (D- 
H) group that is proposed for PFS will be the same as negotiated in Phase 1 of the IKE negotiation. 


To complete the Easy VPN group configuration, enter the following command: 
CLI (crypto_ezvpn)> exit 
CLI (configure) > 


3.2.4.1.2 Applying Easy VPN client configuration on Interfaces 


Reminder: 


e The outside interface is the interface from which the tunnel is established (only one outside interface is 
allowed/supported) 


e An inside interface connects to an IP network that is reached via the tunnel and advertized to the peer 
by Easy VPN IKE extensions. Multiple inside interfaces are supported. 


To assign an client Easy VPN configuration to an interface, specify with the following command in interface 
configuration mode whether the interface is outside or inside, and configure one outside and one or more 
inside interfaces. To remove the Easy VPN configuration from the interface, use the no form of this 
command. 


CLI (config-if)> crypto ipsec client ezvpn <name> { outside | inside } 
CLI (config-if)> no crypto ipsec client ezvpn <name> 


Notes: 
e An"inside" reference is only allowed if the interface has a fixed IP address. 


e An Easy VPN client configuration should be created before assigning it to an interface. 
3.2.4.1.3. Easy VPN Client configuration example 


An example of Easy VPN Client configuration can be found in 3.6.4. 
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3.2.4.2 Easy VPN Server 


Easy VPN server is not aware of the IP addresses the VPN client (whether a CPE or a PC-based client 
software) will be using to set up the VPN tunnel. The remote user can be connected behind a NAT router 
(NAT-T feature as per RFC 3947 is supported). Xauth is supported for remote user authentication as an 
IKE phase 1 is done in aggressive mode. Without Xauth, the end user cannot be authenticated because 
the pre-shared key (PSK) is common to a group of users. 


IKE Mode configuration (MODE-CFG) is supported for native IPsec clients. MODE-CFG is based on draft- 
dukes-ike-mode-cfg-02 document. The transactions are protected by the ISAKMP SA. The following 
parameters can be given to the nomad users: 


e = ©|Pv4 address 

e |Pv4 network mask 

e |Pv4 Domain Name Server (DNS) addresses (up to 2) 

e |Pv4 NetBIOS Name Server (WINS) addresses (up to 2) 


Reverse Route Injection (RRI) ensures that for each client address a static route is created on the server 
through the VPN tunnel. Refer to 3.2.3.3 for more information on RRI configuration. 


3.2.4.2.1 Easy VPN Server license activation 


Easy VPN server functionalities are only available when "ezvpnserver" software license is activated. 
The related commands are rejected if the license is not activated on the router. License activation is 
possible if the product has sufficiently hardware resources and is pre-loaded with the rights to use the 
license. 


Use the following command in global configuration mode to activate the "ezvpnserver" license. 


CLI (configure)> license activate ezvpnserver 


You are only allowed to use the features covered by this 
license, if OneAccess has granted permissions to you or your 
company. The features covered by the license are: 

—- ezVPN server 

By using one of the above mentioned features, you acknowledge 
that you got these permissions. 


‘ezvpnserver’ license successfully enabled. 
CLI (configure) > 


Note: the "ezvpnserver" software license is also activated when the Advanced Security and IP (ASIP) 
license is activated. 


3.2.4.2.2 Easy VPN Server authentication configuration 


Use the following command, in global configuration mode, to define whether Easy VPN clients’ 
authentication, achieved using Xauth, is done locally or through RADIUS or TACACS+ server. 


radius 


CLI (configure)> [no] aaa authentication login <list-name> { 
| tacacs 


local 
<group-name>} 


list-name is a string of 32 characters at most defining the name of the authentication list. This name is 
referenced to in a crypto ISAKMP profile (See below). 
group-name refers to a list of RADIUS or TACACS+ servers to be used for the authentication. 


This command can be entered several times with the same list name. They are then considered in the 
order they have been entered. For example: if RADIUS and local are entered in this order, to reach the 
RADIUS server for the authentication is tried first; if this fails, the local authentication is done. 


Use the no form of the command to remove the authentication list entry. 


Advanced IP User Guide Page 3.2-33 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


Use the following command, in crypto ISAKMP profile configuration mode, to enable Xauth authentication 
using the authentication list defined above. 


CLI (crypto_profile)> [no] client authentication list <list-—name> 


Use the no form of the command to disable Xauth authentication (default behavior). 


Use the following command, in global configuration mode, to define user names and passwords for Easy 
VPN clients if local Xauth authentication is used. 


CLI (configure)> username <user-name> password <user-password> [o|1] 


user-name is a string of 64 characters at most 


When last parameter is set to 0 (or not set — default value), user-password is entered in clear-text as a 
string of 32 characters at most. It will then be stored and displayed encrypted. To enter user-password 
already encrypted: set last parameter to 1. 


Use the following command to remove a client's name and password. 


CLI (configure)> no username <user-name> 
3.2.4.2.3. Easy VPN Server MODE-CFG client configuration 


Easy VPN Server can provide the remote users with their network parameters (MODE-CFG). The 
supported allocation methods are: 


e Local allocation: The client's parameters are all configured locally (see below). 


e Using DHCP: IP address, network mask, DNS servers addresses and WINS servers addresses are 
lookup via a DHCP request to an internal or external server. In this case the locally configured 
parameters — in any — are not taken into account. 


e Using RADIUS: When authentication is done through a RADIUS server, it can be configured to return 
also the IP address and the network mask. These parameters are then returned to the client during 
MODE-CFG. Other parameters are not supported in this method. 


Use the following command, in global configuration mode, to enter in client group parameters local 
configuration mode. 


CLI (configure)> [no] crypto isakmp client configuration group { default 
<group-name> } 





CLI (crypto_group) > 


group-name is a string of 32 characters at most corresponding to the one received in the client request. 


default is the group name used for all users who do not offer a group name that matches a group- 
name argument. Default group parameters can only be configured locally. 


Use the no form of the command to remove the client group configuration and all associated locally 
configured parameters. 


Use the following command, in client group configuration mode, to define the IKE pre-shared key for group 
policy attribute definition. This command is mandatory if the client identifies itself with a pre-shared key. 


CLI (crypto_group)> key <crypto-key> [0|3] 
crypto-key is either a clear-text string of 90 bytes at most that can be used encrypted (set the last 


parameter to 0) or not (do not use the last parameter), or an already level 3 encrypted string of 128 bytes 
at most (set the last parameter to 3). 


Use the no form of the command to remove the IKE pre-shared key definition. 


CLI (crypto_group)> no key 
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Use the following command, in client group configuration mode, to allow a client to save his Xauth 
password locally. This command is optional. 


CLI (crypto_group)> save-password 


Use the no form of the command to disallow the client to save his password. 


CLI (crypto_group)> no save-password 


Use the following command, in client group configuration mode, to assign a local pool of IP addresses to 
the clients' group. This command is mandatory unless RADIUS gives already the IP address or a DHCP 
server is configured. 


CLI (crypto_group) > pool <pool-name> 


Use the no form of the command to remove the pool of IP addresses. 


CLI (crypto_group) > no pool 


Use the following command, in client group configuration mode, to define the network mask of the client. 


CLI (crypto_group) > netmask <mask> 


Use the no form of the command to remove the network mask configuration. 


CLI (crypto_group)> no netmask 


Use the following command, in client group configuration mode, to define the primary DNS server (and 
optionally the secondary DNS server) for the clients' group. This command is optional. 


CLI (crypto_group)> dns <dnsserverl> [<dnsserver2>] 


Use the no form of the command to remove the DNS servers' configuration. 


CLI (crypto_group)> no dns 


Use the following command, in client group configuration mode, to define the primary WINS server (and 
optionally the secondary WINS server) for the clients' group. This command is optional. 


CLI (crypto_group)> wins <winsserverl> [<winsserver2>] 


Use the no form of the command to remove the WINS servers' configuration. 


CLI (crypto_group)> no wins 


Use the following command, in client group configuration mode, to define the DNS domain the clients’ 
group belongs to. This command is optional. 


CLI (crypto_group) > domain <domain-name> 


Use the no form of the command to remove the domain configuration. 


CLI (crypto_group)> no domain 


Use the following command, in client group configuration mode, to tell the client to propose Perfect 
Forward Secrecy (because he has no other mean to be asked to propose PFS). This command is optional. 


CLI (crypto_group)> pfs 


Use the no form of the command to remove PFS configuration. 


CLI (crypto_group)> no pfs 
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Use the following command, in client group configuration mode, to define a domain name that must be 
appended for resolution to the private network. This command is optional. 


CLI (crypto_group) > split-dns <domain-name> 


Use the no form of the command to remove the split DNS domain configuration. 


CLI (crypto_group)> no split-dns 


Use the following command, in client group configuration mode, to define the access control list (ACL) for 
the traffic that passes through the VPN tunnel (split tunneling). This command is optional. Without this 
command all traffic from the client passes through the tunnel. 


CLI (crypto_group)> acl <acl-name> 


Use the no form of the command to remove the ACL configuration. 


CLI (crypto_group)> no acl 


Use the following command, in client group configuration mode, to define the address of the DHCP server 
used to retrieve the IP address, the network mask, the DNS and WINS servers' addresses from. If 
configured, these parameters overrule the locally configured parameters. 


CLI (crypto_group)> dhcp server <IP-address> 
Use the following command, in client group configuration mode, to define the DHCP gateway IP address 


(GIADDR) used in the DHCP request message. This command is optional. Without this command the 
Easy VPN Server will pass its address that will determine the scope for the client IP assignment. 


CLI (crypto_group)> dhep giaddr <IP-address> 


Use the no form of the command to remove the DHCP configuration. 


CLI (crypto_group)> no dhcp 
3.2.4.2.4 Easy VPN Server statistics 
Use the following command, in global mode, to display the number of active Easy VPN connections per 


client group. 


CLI> show crypto session groups 


group connections 
MyGroup 2 
RD 1 


Use the following command, in global mode, to display the active connections for each client group. 


CLI> show crypto session summary [<group-—name>] 
group MyGroup has 2 connections 

rohnny with ip 192.168.21.200 

jan 
group RD has 1 connection 

stefan 


3.2.4.2.5 | Easy VPN Server configuration example 


An example of Easy VPN Server configuration can be found in 3.6.5. 
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3.2.5 ISAKMP Configuration 
3.2.5.1. | Crypto ISAKMP Configuration 


ISAKMP packets are sent using UDP on port 500. To permit transmission of ISAKMP packets from the 
OneOS-based router, use the following command in configuration mode: 


CLI (configure)> crypto isakmp enable 


Use the no form of the command to disable ISAKMP exchange: 


CLI (configure)> no crypto isakmp enable 


ISAKMP entities identify themselves using either the outgoing IP address or the hostname. Use the 
following command to define the identity (address is the default value). 


CLI (configure)> crypto isakmp identity { address | hostname } 


Use the no form of the command to apply the default value: 


CLI (configure)> no crypto isakmp identity 


ISAKMP peers share a secret to authenticate each other. This secret is used to encrypt ISAKMP traffic. 
Secret is locally stored and associated to a peer. You can enter a secret for a given address or hostname 
by using the following command line: 


CLI (configure)> crypto isakmp key <key> { address <A.B.C.D> [<mask>] 
| hostname <host> } [vrf <vrf-name>] 
In case of dynamic server, wild cards can be used (such as 0.0.0.0 0.0.0.0) because the peer IP 
addresses are not known in advance. 
You can remove the key by using the no form of the command line: 


CLI (configure)> no crypto isakmp key <key> { address <A.B.C.D> [<mask>] 
| host-name <host> } [vrf <vrf-name>] 


Prior establishing IKE phase 1, both peers agree on the policy used for communicating. They select the 
policy by sending a list of proposals that contains a list of ISAKMP policies ordered in preference order. 


To enter in ISAKMP policy configuration mode, use the following command line: 
CLI (configure)> crypto isakmp policy <identifier> 
CLI (config-isakmp) > 
identifier indicates the preference order. 1 stands for the highest priority, while 10000 stands for the 
lowest priority. A policy is made up of encryption and hash algorithm. 
To configure the encryption used in an ISAKMP policy, use the following command line: 


CLI (config-isakmp)> encryption { des-cbc | 3des-—cbc | aes } 


Default encryption algorithm is des—cbc and is activated by using the following default command line: 


CLI (config-isakmp)> default encryption 


To configure the hashing algorithm (default: sha1), use the following command line: 


CLI (config-isakmp)> hash { md5 | shal } 


CLI (config-isakmp)> default hash 


The authentication method tells how to authenticate with remote peer. Pre-shared key and RSA signatures 
are authorized. 
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To configure pre-shared authentication, use the following command line: 


CLI (config-isakmp) > authentication pre-share 


To configure authentication by using RSA signatures, use the following command line: 





CLI (config-isakmp) > authentication rsa-sig 


To set the default authentication method (pre-share), use: 


CLI (config-isakmp)> default authentication 


The lifetime of ISAKMP SA is configurable by using the following command line: 
CLI (config-isakmp)> lifetime <1-131071> 


CLI (config-isakmp)> default lifetime 


Default value for lifetime is 86400 seconds. Volume limit is not configurable. 


Key exchange requires the selection of a Diffie-Hellman group (DH). The bigger the DH group is, the more 
secured the exchange is. By default, group 2 is provided. Group 2 must be selected for Easy VPN 
configurations. To configure DH group, use the following command line: 


CLI (config-isakmp)> group { 1 | 2 | 5 } 
CLI (config-isakmp) > default group 


The above commands configure the proposed group list that is sent to the remote ISAKMP peer. The 
remote chooses the transform and replies. Once agreed on the transform, both peers forge their keys, and 
pass it to the remote peer using the chosen group. 


To finalize ISAKMP policy configuration: 


CLI (config-isakmp)> exit 
3.2.5.2 ISAKMP Keepalive 


ISAKMP keepalive stands for a facility that enables IPsec gateways to detect dead peers. It is compliant 
with RFC 3706, which specifies that each device must reply to "DPD" queries from remote IKE peers. The 
implementation of dead IKE peer detection is not provided. It is explained hereafter: when sending 
keepalive packets, the ISAKMP peer must respond to the received message. If no answer is received, the 
ISAKMP peer seems to be dead. To make sure the peer is not alive, two additional keepalive messages 
are sent. If no answer is received for both messages, the ISAKMP peer is considered as dead. The 
ISAKMP connection is reset locally as well as its IPsec SAs. 


During the ISAKMP negotiation, the peers exchange whether they support keepalive or not. If the peer 
does not support keepalive, the router will not send keepalive packets over the IPsec tunnel, even if it is 
globally configured to do so. 


Two timers can be configured: 


e The trigger timer: it is the inactivity period during which no traffic has been detected coming from the 
ISAKMP peer or from the corresponding tunnel. If this timer expires, a keepalive message is sent to 
the remote peer to check if it is still alive. The default timer value is 30 seconds. 


e The retry timer: it is the number of seconds between keepalive retries if the previous keepalive 
message fails; the default timer value is 5 seconds. A total of 5 retries is sent before the connection 
with the remote ISAKMP peer is considered as lost. Using the default values this occurs after 30 + 5*5 
+ 5 = 60 seconds. 


ISAKMP keepalive is not enabled by default. To enable ISAKMP keepalive, use the following command 
line to configure keepalive: 


CLI (configure) > crypto isakmp keepalive [<5-120> [<2-60>] [periodic] ] 


The first parameter is the trigger timer in seconds; the second one is the retry timer in seconds. 
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periodic is a keyword meaning that keepalive packets are always sent, even if traffic was detected on 
the tunnel: in that case, the trigger timer is just the duration between two keepalive messages sent. 


To restore the default values and stop keepalive: 


CLI (configure)> no crypto isakmp keepalive 


Application cases for ISAKMP keepalive: 


e ~=6 Re-initialization of IKE: the shutdown command resets active sessions on the interface. The no 
shutdown command allows the re-initialization of IPsec connections if they were present initially. 
Usually, such reconnection request fails and a 3-minute timer is fetched. ISAKMP keepalive 
accelerates the reconnection time. 


e Ability to track the tunnel interface state: the tunnel is up if the ISAKMP connection is up. When the 
tunnel is down, the command show interfaces tunnel displays the remaining time until the next 
IPsec reestablishment retry. 


3.2.5.3. ISAKMP Aggressive Mode 


To configure an IKE peer for aggressive mode, use the following command line: 


CLI (configure)> crypto isakmp peer { address <ip> | hostname <host> } 


Enter the aggressive mode pre-shared key by entering the following command line: 


CLI (config-isakmp-peer)> set aggressive-mode password <psk> 


Example: 
crypto isakmp peer address 172.31.124.229 
set aggressive-mode password presharedkey 
exit 
To remove the aggressive mode pre-shared key enter the following command line: 


CLI (config-isakmp-peer)> no set aggressive-—mode 
3.2.5.4 ISAKMP Profile 


An ISAKMP profile is an enhancement to the ISAKMP configuration. It is used to set parameters of an 
IPsec connection. These parameters consist of the identity of IKE phase 1 connections including IP 
address, fully qualified domain name (FQDN) and the user FQDN (email address). 


The match command allows verifying the peer's identity against a list of known and trusted peers. If the 
identity of a peer is hidden within a certificate, a certificate map can provide even more information about 
the peer's identity (see "Certificate Matching against Criteria" section in "Certificates management" chapter 
of "OneOS — Admin User Guide" document). 


An ISAKMP profile shall be applied to an ISAKMP crypto map (see 3.2.3). 


To configure an ISAKMP profile and enter in ISAKMP profile configuration mode, use the following 
command line: 


CLI (configure)> crypto isakmp profile <name> 
CLI (crypto_profile)> 
To remove an ISAKMP profile, use the following command: 


CLI (configure)> no crypto isakmp profile <name> 


To define the identity that the local IKE will use to identify itself to the remote peer, use the following 
command. Note that if no ISAKMP profile is configured, IKE will use the global configured value (see 
crypto isakmp identity command). 


CLI (crypto_profile)> self-identity { address 
| hostname 
| user-fqdn <user-fqdn> } 
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address (default value within ISAKMP profile) is the IP address of the egress interface. 
hostname is the host name of the OneOS-Based router. 

user-—fqdn is a 64-char long string (usually an email address). 

To make IKE use again the global configured value, use the following command line: 


CLI (crypto_profile)> default self-identity 


To define the identity that the local IKE has to check against the peer's identity, use the following 
command. Multiple match identity commands can be configured. The peer is mapped to the ISAKMP 
profile when its identities (as given in the ID payloads of the IKE) match the identities defined in the profile. 


CLI (crypto_profile)> [no] match identity { address <address> 
| hostname <name> 
| user-fqdn <user-fqdn> } 
address is the value to check against the ID_IPV4_ADDR type field. 
name is the value to check against the ID_FQDN type field. 


user-fqdn is the value to check against the ID_USER_FODN type field. 





To remove an identity from the list to check, use the no form of the above command. 


To use a VRF different from the default VRF, use the following command: 


CLI (crypto_profile)> [no] vrf <vrf-name> 


To remove the VRF, use the no form of the above command. 


When certificates are used for authentication, the following command allows verifying the content of the 
fields of the peer's certificate. This is accomplished by applying a certificate map to the profile (see 
"Certificate Matching against Criteria" section in "Certificates management" chapter of "OneOS — Admin 
User Guide" document). 


CLI (crypto_profile)> [no] match certificate <name> 


name is the name of the certificate map. 


To remove the certificate matching from the profile, use the no form of the above command. 


Prior to the certificate matching, the following command allows checking the revocation of the certificate. 
This is accomplished by activating a trust-point in the profile to check the revocation (see "Certificate 
revocation checking" section in "Certificates management" chapter of "OneOS — Admin User Guide" 
document). 


CLI (crypto_profile)> [no] trustpoint <name> 


name is the name of the trust-point that is activated to check the revocation of the certificate. 


To disable the trust-point checks from the profile, use the no form of the above command. 


3.2.6 Hardware-Accelerated IPsec 


To enable hardware-accelerated encryption, use the following command in configuration mode: 


CLI (configure)> crypto engine enable 


To disable hardware-accelerated encryption, use the following command in configuration mode: 


CLI (configure)> crypto engine disable 


By default, the hardware-accelerated encryption is disabled. 
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3.2.7 NAT Traversal 
3.2.7.1 NAT Traversal Activation 


To disable NAT Traversal on the router, and prevent it from using UDP port 4500, use the following 
command in configuration command mode: 


CLI (configure)> no crypto isakmp nat-traversal udp-encapsulation 
To restore the default configuration, and enable NAT Traversal on the equipment, and use UDP port 4500 
when possible, use the active form of the above command: 


CLI (configure)> crypto isakmp nat-traversal udp-encapsulation 
3.2.7.2. NAT Traversal Port 


To configure NAT Traversal on a specific port, use the following command in configuration command 
mode: 


CLI (configure)> crypto isakmp nat-traversal port <1-65535> 


To restore the default configuration, use the no form of the above command: 


CLI (configure)> no crypto isakmp nat-traversal port 
3.2.7.3. NAT Traversal Keepalive 


The NAT-Traversal detects NAT devices sitting in the middle of the IPsec tunnel path. NAT devices 
maintain a context to keep track of the IPsec session (tunnel). The context is removed after a certain 
timeout. In order to maintain the NAT entry in the intermediate NAT device, dummy UDP packets (with no 
payload) are periodically sent every 20 seconds. To change emission frequency of UDP keepalive 
packets, use the following command in configuration mode: 


CLI (configure)> crypto isakmp nat keepalive seconds <5-3600> 


To disable the NAT keepalive function, use the no form of the above command: 


CLI (configure)> no crypto isakmp nat keepalive 
3.2.7.4 | NAT Traversal Vendor-ID 


Some IPsec connection setup may fail due to compatibility issues regarding NAT-Traversal payload type, 
encapsulation mode and vendor-id hash. Forcing the nat-traversal vendorid to draft-03 may 
solve this problem: 


e rfc3947: (default) uses the RFC 3947 settings regarding ISAKMP NATD and NATOA payload, UDP 
encapsulation mode and vendor-id hash. ISAKMP will fall back to the draft settings when the peer 
does not support the RFC 3947. 


e draft-03: uses the "draft-ietf-ipsec-nat-t-ike-03" settings regarding ISAKMP NATD and NATOA 
payload, UDP encapsulation mode and vendor-id hash. 


CLI (configure)> crypto isakmp nat-traversal vendorid {rfc3947 | draft-03} 


To restore the default configuration (r£c3947), use the no form of the above command: 


CLI (configure)> no crypto isakmp nat-traversal vendorid 





3.3 IPSEC SNMP TRAPS 
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In order to send SNMP traps for every IPsec log message, use the following command: 


CLI(configure)> [no] snmp traps ipsec 


In order to send SNMP traps related to the IKE protocol, use the following command: 


CLI (configure)> [no] snmp traps isakmp 





3.4 IPSEC STATISTICS 


At any stage of the configuration, information about IPsec can be displayed. To display configuration 
information related to IPsec, use the following command line: 


CLI> show crypto config 


To display the IPsec SAs currently configured, use the following command line: 


CLI> show crypto ipsec sa [interface <type> <unit>] 


To display the list of configured transform-sets, use the following command line: 
CLI> show crypto ipsec transform-set 
To display the list of configured crypto maps and their configuration or display the configuration of a 


specific crypto map or the configuration of a crypto map attached to an interface, use the following 
command line: 


CLI> show crypto map [name <name> | interface <type> <unit>] 


To display the statistics on the IPsec related counters, use the following command line: 


CLI> show crypto [ah | esp | ipcomp | ipip] 


To clear IPsec counters displayed in the above command, use the following command line: 


CLI> clear crypto counters 


It is possible to clear all IPsec counters of SAs or per interface, by using the following command line: 
CLI> clear crypto sa { counters | interface <type> <unit> | spi <spi> 
{ah | esp | ipcomp} <A.B.C.D> } 
To display ISAKMP key configuration, use the following command line: 


CLI> show crypto isakmp key 


To display ISAKMP policy, use the following command line (example for the default protection suite): 


CLI> show crypto isakmp policy 


Default Protection suite 
encryption algorithm: DES - Data Encryption Standard (56 bit keys) 
hash algorithm: Secure Hash Standard 
authentication method: Pre-Shared Key 
Diffie-Hellman group: #2 (1024 bits) 
lifetime: 86400 seconds, no volume limit 


To display ISAKMP security associations, use the following command line: 


CLI> show crypto isakmp sa 


To clear ISAKMP counters: 





CLI> clear crypto isakmp statistics 
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To clear encapsulation-related counters: 


CLI> clear crypto { ah | ipip | esp | ipcomp } 


ipip corresponds to the IP tunnel encapsulation header. 





3.5 IPSEC DEBUG COMMANDS 


To debug payload packet processing: 
CLI> [no] debug crypto ipsec [core | crypto | data | sa | spd] 


To debug ISAKMP issues: 


CLI> [no] debug crypto isakmp [config | crypto | exchange | keepalive 
| message | misc | nat-t | negotiation | policy | sa | timer | transport] 





To specify the amount of ISAKMP debug information available (default 20): 
CLI> debug crypto isakmp level <10-90> 
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3.6 IPSEC CONFIGURATION EXAMPLES 


3.6.1 Configuration example of Manual Crypto Entries 


The following example illustrates how to configure an IPsec tunnel with manually configured keys. 


Router A Router B 


10.1.1.0/24 10.1.2.0/24 


212.199.8.1 212.199.8.2 





Router A Configuration: 


configure terminal 
ip access-list extended subl 

permit ip 10.1.1.0 0.0.0.255 10.1.0.0 0.0.255.255 
exit 

crypto ipsec transform-set esp-—3des-sha 

esp-3des esp-sha—-hmac 

exit 


crypto map ipsec-manual client 1 

! Defines a SA with manually configured keys for traffic that matches 
! the ACL subl 

match address subl 

set transform-set esp-—3des-sha 

! Warning: next 2 times 3 lines are 2 times one instruction! 
set security-association inbound esp 0x195831 
89ef 6ee47969b514d0bbc77d99d3£69089a0 £c3778474310 
6lac3e5e8a60bec9 9£54769b36264d0a7970124£ 

set security-association outbound esp 0x195832 
fea63clbae038fa13a931507a293128ea8 6£03ebfc43faab 
181a435£80900737b964ad64814fab7£69ccaab9 
exit 


interface ethernet 0 
ip address 10.1.1.1 255.255.255.0 
exit 


interface tunnel 1 

! Apply the crypto map to the tunnel interface 
ip unnumbered atm 0.1 

tunnel source atm 0.1 

tunnel destination 212.199.8.2 

crypto map client 
exit 
interface atm 0.1 

ip address 212.199.8.1 255.255.255.0 
exit 
ip route 10.1.0.0 255.255.0.0 tunnel 1 


Router B Configuration: 


configure terminal 
ip access-list extended subl 
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permit ip 10.1.2.0 0.0.0.255 10.1.0.0 0.0.255.255 
exit 

crypto ipsec transform-set esp-—3des-sha 

esp-3des esp-sha-hmac 
exit 

crypto map ipsec-manual client 1 

match address subl 

set transform-set esp-—3des-sha 

set security-association inbound esp 0x195832 
fea63clbae038fa13a931507a293128ea8 6£03ebfc43faab 
181a435£80900737b964ad64814fab7£69ccaab9 

set security-association outbound esp 0x195831 
89ef 6ee47969b514d0bbc77d99d3£69089a0 £c3778474310 
6lac3e5e8a60bec9 9£54769b36264d0a7970124£ 
exit 
interface ethernet 0 

ip address 10.1.2.1 255.255.255.0 
exit 
interface tunnel 1 

ip unnumbered atm 0.1 

tunnel source atm 0.1 

tunnel destination 212.199.8.1 

crypto map client 
exit 
interface atm 0.1 

ip address 212.199.8.2 255.255.255.0 
exit 
ip route 10.1.0.0 255.255.0.0 tunnel 1 


3.6.2 Configuration example of a Client-Server case 


Client 


10.1.3.0/24 


212.199.8.2 212.199.8.1 


Client Configuration: 


configure terminal 

ip access-list extended subl 

permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 
exit 

crypto ipsec transform-set esp-—3des-sha 
esp-3des esp-sha-hmac 
exit 

crypto isakmp key secretpassword address 212.199.8.1 
crypto isakmp policy 1 

encryption 3des 

hash md5 

lifetime 20000 

group 5 
exit 

crypto map ipsec-isakmp isakmp_client 1 

match address subl 

set peer 212.199.8.1 

set transform-set esp-3des-sha 

set pfs group2 

set security-association lifetime seconds 5000 
exit 
interface ethernet 0 

ip address 10.1.2.1 255.255.255.0 
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3.6.3 


exit 

interface atm 0.1 
ip address 212.199.8.2 255.255.255.0 
crypto map isakmp_client 

exit 


ip route 10.1.2.0 255.255.0.0 212.199.8.1 


Server Configuration: 


configure terminal 
ip access-list standard subl 


! only match what comes from/goes to the LAN 


permit 10.1.1.0 0.0.0.255 

exit 

crypto ipsec transform-set esp-—3des-—sha 
esp-3des esp-sha-hmac 

exit 


crypto isakmp key secretpassword address 0.0.0.0 0.0.0.0 


crypto isakmp policy 1 
encryption 3des—cbc 
hash md5 
lifetime 20000 
group 5 

exit 

crypto dynamic dyn 
! Crypto map template 
match address subl 
set transform-set esp-3des-sha 
set pfs group2 


set security-association lifetime seconds 5000 


exit 
! Creation of a policy entry 
crypto map dynamic isakmp_server 1 dyn 
interface ethernet 0 
ip address 10.1.1.1 255.255.255.0 
exit 
interface atm 0.1 
ip address 212.199.8.1 255.255.255.0 
crypto map isakmp_server 
exit 
ip route 0.0.0.0 255.255.255.255 atm 0.1 


Configuration example with an IPsec profile 


ip access-list standard pc 
permit 172.31.100.0 0.0.0.255 
exit 


crypto ipsec transform-set esp-—3des-sha 
esp-3des esp-sha-hmac 
exit 


crypto isakmp keepalive 
crypto isakmp identity hostname 


crypto isakmp policy 1 
authentication rsa-sig 
encryption 3des—cbc 

exit 

crypto isakmp profile myProfile 
self-identity hostname 
match certificate myCertmap 


exit 


crypto pki certificate map myCertmap 1 
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subject-—name co O=OneAccess 
subject-—name co C=BE 
exit 


crypto dynamic mydyn 

match address pc 

set transform-set esp-3des-sha 
set isakmp-profile myProfile 
exit 


crypto map dynamic mymap 10 mydyn 


interface FastEthernet 0/1 
ip address 172.31.100.1 255.255.255.0 
exit 


interface FastEthernet 0/2 

ip address 192.168.1.1 255.255.255.0 
crypto map mymap 

exit 


3.6.4 Configuration example of an Easy VPN Client 


crypto engine enable 
crypto isakmp policy 1 
encryption 3des—cbc 
exit 


crypto isakmp keepalive 60 20 


crypto ipsec client ezvpn TEST 
peer 172.31.124.229 

group cisco key ciscopassword 
username Brian password Adams 
connect auto 
exit 


interface FastEthernet 0/0 
ip address 172.31.124.233 255.255.255.248 
crypto ipsec client ezvpn TEST outside 
exit 


interface FastEthernet 0/1 

ip address 172.31.124.249 255.255.255.248 
ip address 9.9.9.9 255.255.255.0 secondary 
crypto ipsec client ezvpn TEST inside 

exit 


interface FastEthernet 0/2 
exit 


interface FastEthernet 0/3 
exit 


interface FastEthernet 1/0 

ip address 172.31.96.98 255.255.255.192 
crypto ipsec client ezvpn TEST inside 
exit 

interface Loopback 1 

ip address 4.4.4.4 255.255.255.255 
crypto ipsec client ezvpn TEST inside 


exit 


ip route 0.0.0.0 0.0.0.0 172.31.124.235 
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3.6.5 Configuration example of an Easy VPN Server 


DHCP pool 


FE. 1/0 192.168.21.1/24 
___{__Easy VPN tunnel ete v __FE. 0/0:]192.168.20.1]/24 






























FE. 0/3: 10.0.28.13/21 


Easy VPN 
Client 





Easy VPN 
Server 


92.168.16.100 











a ee RADIUS 
DNS § ===. WINS Server 
Servers ~— - Servers 10.0.26.40 





Easy VPN clients get their IP address from the pool in the range 192.168.21.1/24. They also get MyACL 
Access Control List that says that all traffic destined to 192.168.20.0/24 must go to the tunnel (and all other 
traffics not). All this is added to the clients' routing table. 


license activate ezvpnserver 

! 

!list of Easy VPN client users 
username userl password pwdl 0 
username user2 password pwd2 0 
username user3 password pwd3 0 


!DHCP addresses pool for Easy VPN client users 
ip local pool MyPool 192.168.21.1 192.168.21.254 





'access list on Easy VPN client group 

ip access-list extended MyACL 

permit ip 0.0.0.0 0.0.0.0 192.168.20.0 0.0.0.255 
exit 


!IPsec material configuration 
crypto engine enable 
crypto ipsec transform-set MyTrans 
esp-3des esp-sha—-hmac 
exit 
crypto isakmp policy 3 
encryption 3des-—cbc 
exit 





!'Easy VPN client group MODE-CFG configuration 
crypto isakmp client configuration group MYGROUP 
pool MyPool 

key MyPSK 

netmask 255.255.255.0 

dns 8.8.8.8 8.8.8.9 

wins 10.0.24.33 10.0.24.34 

domain mydomain.net 

split-dns mycompany.com 


acl MyACL 
save-password 
exit 


!'crypto map configuration using template and profile 
crypto isakmp profile MyProf 
self-identity address 
client authentication list MyList 
exit 
crypto dynamic MyDyn 
set transform-set MyTrans 
set isakmp-profile MyProf 
exit 
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crypto map dynamic EZVPNSERVER 10 MyDyn 


interface FastEthernet 0/0 

ip address 192.168.20.1 255.255.255.0 
exit 

interface FastEthernet 0/3 

ip address 10.0.28.13 255.255.248.0 
exit 


fattaching crypto map to uplink interface 
interface FastEthernet 1/0 
ip address 192.168.16.2 255.255.255.0 
crypto map EZVPNSERVER 
exit 


interface Loopback 1 

ip address 192.168.20.5 255.255.255.255 
exit 

ip route 0.0.0.0 0.0.0.0 192.168.16.100 


!'EFasy VPN client users authentication configuration 
radius-server 10.0.26.40 Hello clear-text 1812 

aaa authentication login MyList radius 

aaa authentication login MyList local 
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4 IPV6 ACCESS LISTS 


This section describes the features of IPv6 Access Control Lists (ACL) and their configuration. 





4.1 ACL FEATURES (IPV6) 


4.1.1 Access List Filters 


IPv6 access lists are comparable with extended IPv4 access lists. They can filter packets using any 
combination of the following IP and transport protocol header fields: IP source and destination addresses, 
DSCP code, IP protocol identifier, TCP/UDP source and destination port numbers/port range, as well as 
ICMP type and code. 


4.1.2 ICMP Unreachable 


When a packet is dropped by an access list, an ICMP unreachable message can be sent according to a 
configuration parameter. 


4.1.3 Context Based Access Control 


This control mode enables also full TCP packet inspection, namely detection of TCP SYN packets initiating 
the connection, RST or FIN packets ending the connection. TCP packet inspection also protects from TCP 
sequencing replay. 


Such control also limits the configured maximum number of sessions and TCP half-sessions on the router. 
(A half session is a session for which only a SYN packet was intercepted and the router waits for a 
SYN_ACK packet). When the limits are reached, packets are dropped. 


4.1.4 Logging and Statistics 


Access lists provide log information for matching packets, either denied or permitted. Information can be 
displayed either on the console, or logged to a file. Upon the first match of a filter, a log message will be 
issued. Then upon succeeding matches, a summary log message is periodically issued. The level of 
logging detail can be configured. 
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4.2 ACL CONFIGURATION COMMANDS (IPV6) 


To create an IPv6 access list, use the following command in global configuration mode: 


CLI (configure)> ipv6 access-list <acl-name> 
CLI (config-ipv6-acl) > 


Then, ACL rules can be defined to permit or deny traffic. 


4.2.1 Rules Matching IPv6 Addresses 


The syntax to create a permit/deny rule working only at the IP layer is: 


CLI (config-ipv6-acl)> [no] permit <src-ipv6-prefix> <dest-—ipvé-prefix> 


[dscp <0..63>] [log] [sequence <seq>] 


CLI (config-ipv6-acl)> [no] deny <src-ipv6-prefix> <dest-—ipvé-prefix> 


[dscp <0..63>] [log] [sequence <seq>] 


To delete a rule, use the no form of the above command. The first part of the rule is related to the source 
address of the packet, whereby the source IPv6 address must be either any address, or exactly a given IP 
address or matching an IPv6 prefix. The second part is respectively related to the destination IPv6 
address. A log message will be created when the rule is matched if the log parameter is added. The 
sequence argument allows the insertion of a rule at a specific location. IPv6 ACL re-sequencing is not 
supported at the moment. 


Remarks: 


e The IPv6 prefix to match any IPv6 address is: : :/0. 


e The IPv6 prefix to match a host address is <host>/128. For example: 2002: :31/128 


Examples: 


deny 


::/0 2007::1234/64 dscp 8 log sequence 60 
deny 2002: :3456/128 2002::1234/64 dscp 5 


4.2.2 Rules Matching IPv6 Addresses + IP Protocol 


The syntax to create a permit/deny rule working only at the IP layer is: 


CLI (config-ipv6-acl)> [no] permit ip <protocol-nbr> 


<src-ipvé-prefix> <dest-—ipv6-prefix> 
[dscp <0..63>] [log] [sequence <seq>] 


CLI (config-ipv6-acl)> [no] deny ip <protocol-nbr> 


Examples: 


deny 
deny 
deny 
deny 
deny 
deny 
deny 
deny 
deny 
deny 


ip 
ip 
ip 
ip 
ip 
ip 
ip 
ip 
ip 
ip 


<src-ipvé-prefix> <dest-—ipv6-prefix> 
[dscp <0..63>] [log] [sequence <seq>] 


10 2005: :2345/120 2002: :4456/128 

33 2006: :2345/120 2002::4456/123 dscp 10 

254 2007::2345/120 2003::4456/128 dscp 11 log 

150 2008::2345/120 2002: :4456/128 dscp 12 sequence 10 

0 2009: :2345/120 2003: :4456/128 dscp 13 log sequence 12 
13 2056: :2345/120 2022::3456/55 

70 2056: :2345/120 2023::3456/55 dscp 10 

230 2057::2345/120 2024::3456/55 dscp 20 log 

250 2058::2345/120 2025::3456/55 dscp 30 sequence 20 

17 2059: :2345/120 2025::3456/55 dscp 40 log sequence 22 
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4.2.3 Rules Matching IPv6 Addresses + TCP/UDP 


The syntax to create a permit/deny rule working only at the TCP/UDP layer is: 


CLI (config-ipv6-acl)> [no] permit { tcp | udp } 
<src-ipvé-prefix> [<src-port> [<src-port-—end>]] 
[<dest-ipv6-prefix> [<src-port> [<src-port-—end>]]] 
[dscp <0..63>] [log] [sequence <seq>] 


CLI (config-ipv6-acl)> [no] deny { tcp | udp } 
<src-ipvé-prefix> [<src-port> [<src-port-—end>]] 
[<dest-ipv6-prefix> [<src-port> [<src-port-end>]]] 
[dscp <0..63>] [log] [sequence <seq>] 


Examples: 


deny tcp ::/0 2002::3456/128 dscp 5 

deny tcp ::/0 2004::3456/128 100 60400 dscp 5 

deny tcp 2003::3458/128 100 any dscp 7 sequence 15 

deny tcp 2042: :3456/128 335 2048::1234/128 100 60600 dscp 5 
deny tcp 2004::1234/64 ::/0 dscp 5 


4.2.4 Rules Matching IPv6 Addresses + ICMP 


The syntax to create a permit/deny rule working only at the IP layer is: 


CLI (config-ipv6-acl)> [no] permit icmp 
<src-ipv6é-prefix> <dest-—ipv6-prefix> 
[<icmp-type> [<icmp-code>]] 
[dscp <0..63>] [log] [sequence <seq>] 


CLI (config-ipv6-acl)> [no] deny icmp 
<src-ipvé-prefix> <dest-—ipv6-prefix> 
[<icmp-type> [<icmp-code>]] 
[dscp <0..63>] [log] [sequence <seq>] 
Examples: 


deny icmp ::/0 ::/0 6 dscp 15 
deny icmp ::/0 ::/0 255 10 dscp 25 
deny icmp ::/0 2004::3456/128 100 60 dscp 5 


4.2.5 Attaching Detaching an ACL on an Interface 


To attach the access list on an interface, apply the following command under interface configuration mode: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ipv6 access-group <ipv6-acl-name> { in | out } 


To detach the ACL: 


CLI (config-if)> no ipv6 access-group {in | out } 
4.2.6 Stateful Inspection 


For the time being, the IPv6 ACL does not statefully inspect TCP sessions. However, the same context- 
based access control as that from IPv4 has been re-used. The maximum number of ACL sessions and 
TCP/UDP timeouts are not configurable. (Commands: ip inspect ... are not operational). 
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4.3 ACL 


DEBUGS AND STATISTICS (IPV6) 


To debug access lists: 


C 


LI> [no] debug ipv6 access-list 


To view ACL statistics: 


Cc 





LI> show ipv6 access-list [<name>] 
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5 ROUTING INFORMATION PROTOCOL (RIPV1 AND RIPV2) 
This section describes the main features of the Routing Information Protocol (RIPv1 and RIPv2) and its 
configuration. 

5.1 RIP FEATURES 


The Routing Information Protocol is a mature but still commonly used Interior Gateway Protocol (IGP) 
defined for use in small, homogeneous networks, it is a classical distance-vector routing protocol. RIP 
(version 1) was first documented in RFC 1058; version 2 extensions are in RFC 2453. 


RIP uses broadcast (version 1) or multicast (version 2) User Datagram Protocol (UDP) data packets to 
exchange routing information. By default, RIP sends routing information updates every 30 seconds. This 
process is termed advertising. If a router does not receive an update from another router for 180 seconds 
or more, it marks the routes served by the non-updating router as being unusable. If the router has not 
been updated after 300 seconds, the router removes all routing table entries for the non-updating router. 


The metric that RIP uses to rate the value of different routes is a hop count. The hop count is the number 
of routers that a packet must traverse to reach the destination using a given route. A directly connected 
network has a metric of one; an unreachable network has a metric of 16. This very limited range of metrics 
makes RIP unsuitable for large networks. 


If the router has a default network path, RIP advertises a route that links the router to the pseudo network 
0.0.0.0. The network 0.0.0.0 does not exist; RIP treats 0.0.0.0 as a network to implement the default 
routing feature. The default network will be advertised if it was learned by RIP, or if the router has been 
configured to generate a default route. 


By default, RIP sends routing updates to the interfaces directly connected to the specified networks. No 
routing updates will be advertised to, or received from the interfaces that do not belong to the specified 
networks in RIP. This checking can be deactivated. 


Route auto-summarization is not used and cannot be activated. 


The implementation of RIP Version 2 supports plain text and MD5 authentication. 
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5. 


5.2.1 


5.2.2 


2 


RIP CONFIGURATION COMMANDS 


To configure RIP, the user should complete the tasks in the following sections. First enable RIP; the 
remaining tasks are optional. 


Enabling RIP 


Note: as of V4.3R2E2 software release, RIP is only supported on the default VRF. 


RIP can be enabled or disabled on a network, in other words, interface(s). To do so, one must specify the 
network address by using the following commands in global configuration mode: 


CLI> configure terminal 
CLI (configure)> router rip 
CLI (router-rip) network <ip-address> 





The first command places the user in router configuration mode. The second command enables the RIP 
routing process on the interfaces which belong to the given network address. The parameter IP address 
must be the network address of a directly connected network. The network number specified should not 
contain any subnet information. There is no limit to the number of network commands that can be entered 
on the router. 


Once RIP is enabled on a network, RIP routing updates will be sent and received through the interfaces of 
that network. Also the interfaces without network addresses will not be advertised by any RIP update. To 
remove an entry, use the no form of this command. 


The following command in router configuration mode allows user to disable the sending of routing updates 
ona specific interface: 


CLI (router-rip)> passive-interface <type> <unit> 


The default behavior is to send routing updates on an interface on the specified networks. To return to the 
default behavior, use the no form of this command. 


Adjusting Timers 


RIP makes use of several timers to control the frequency of routing updates and the interval to drop 
obsolete routes, for example. Users can adjust these timers to tune routing protocol performance to better 
suit the needs of their own network environment. The following timers can be adjusted: 


e update-timer: time interval (in seconds) at which routing updates are sent (default is 30 seconds). 


e invalid-timer: time (in seconds) after which a route is declared invalid if no routing updates are 
received (default is 180 seconds). 


e flush-timer: time (in seconds) after which a route is removed from the routing table if no routing 
updates are received (default is 300 seconds). 


e hold-down-timer: (optional) time (in seconds) during which no new route update is accepted 
following a route change (default is 180 seconds; use 0 to disable this timer). 


To adjust these timers, the user should run the following command in router configuration mode: 


CLI (router-rip)> timers basic <update-timer> <invalid-timer> 
<flush-timer> [<hold-down-timer>] 


Use default timer basic command to restore the default values. 
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5.2.3 Setting RIP Versions 


By default, the software receives and sends RIP v2 packets. The user can configure the software to 
receive and send only v1 packets. To specify a RIP version to be used globally (for all interfaces) by the 
router, the user can run the following command: 


CLI> configure terminal 
CLI (configure)> router rip 
CLI (router-rip)> version <1-2> 


The default form of the above-referenced command restores the default value. 


The user can override the value configured by specifying another version for a particular interface. To 
control the RIP version in which RIP updates are sent to an interface, the user can run the following 
commands in interface configuration mode: 


CLI> configure terminal 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip send version <1-2> 


Similarly, to control the RIP version in which RIP updates are received from an interface, the user can run 
the following command in interface configuration mode: 


CLI> configure terminal 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip receive version <1-2> 


Use the default form of the above-referenced commands to return to the global version. 
5.2.4 Configuring Authentication 


RIP vi does not support authentication. RIP v2 supports authentication of packets sent and received from 
an interface. 


A single mode of authentication is currently provided on an interface for which RIP authentication is 
enabled: plain text authentication. 


Before enabling RIP authentication on a specific interface, the user must define a key string in global 
configuration mode: 


CLI 
CLI 
CLI 
CLI 
Cc 
Cc 


configure)> key chain <key-chain-name> 
config-keychain)> key <key-id> 
config-keychain-ke)> key-string <key-string> 
config-keychain-ke) > exit 

config-keychain)> exit 

configure)> exit 


LI 
LI 





The first command places user in key chain configuration mode. The second command defines a key 
identified by a unique key number and places user in key configuration mode. By entering the key-string 
keyword, the user will be able to define the character string associated with this particular key. 


Restriction: only one key can be defined in a key-chain. 


To configure RIP authentication, the following command must be executed in interface configuration mode 
to enable RIP authentication on a specific interface: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip authentication key-chain <key-chain-name> 





5.2.5 Generating a Default Route into RIP 


To generate a default route into RIP, the following commands can be used: 


CLI (configure)> router rip 
CLI (router-rip)> default-information originate 





To disable this feature, use the no form of this command. 
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5.2.6 


5.2.7 


5.2.7.1 


5.2.7.2 


Redistributing Routes 


For RIP to advertise routes learnt via other techniques than RIP, run the following command starting in 
router configuration mode: 


CLI (router-rip)> redistribute { connected | static | bgp | ospf } 
[metric <0..16>] [route-map <route-map-name>] 


connected designates routes that are directly connected. static indicates routes configured via static 
routing. bgp and ospf indicates that routes, learnt via BGP or OSPF, are redistributed by RIP. The 
metric argument provides the metric associated with the injected routes. The default metric is 1. 


You can optionally use route maps to advertise only certain routes. Route maps are a global mechanism 
for routing protocols that enables the filtering of undesired routes. As route-maps can be used for BGP, 
RIP and OSPF, some configuration commands for route maps are only relevant for certain protocols 
(mostly BGP), hence the fact that they are detailed in each section for every routing protocols. 


Route Filtering 


To control and filter routes advertised via RIP, OneOS offers route-maps and distribute-lists. As seen in 
5.2.6, route-maps are applied on redistributed routes. Route-maps select the injected routes that are 
allowed to be advertised by RIP and modify the route attributes. Distribute-lists are used to control which 
routes are advertised to interfaces. 


Both mechanisms require filtering that is either based on access-lists or prefix-lists. 
Filtering Based on Access Lists 


Such filtering is based on standard access lists. When using access-list for route filtering, access-lists have 
a special behavior: 


e The default route is written as follows: 0.0.0.0 0.0.0.0 (e.g. arule to deny the default route: deny 
0.0.0.0 0.0.0.0) 


e All routes (=any route) is entered as follows: 0.0.0.0 255.255.255.255 


e There must be an exact match for the network; sub-networks are not matched (if you configure 
permit 10.0.0.0 0.255.255.255, 10.0.1.0/24 is not matched by this rule). 


Example: the following access list only selects 10.1.1.0/24 and the default route, and denies all other 
routes: 


ip access-list standard rtfilter 
permit 0.0.0.0 0.0.0.0 

permit 10.1.1.0 0.0.0.255 

deny 0.0.0.0 255.255.255.255 
exit 


Filtering Based on Prefix Lists 


Prefix lists can be used as an alternative to access lists in many route filtering commands (e.g. BGP route 
filtering). A prefix list must be set up before using it in a command. The entries in the prefix list are 
automatically ordered the longest first so the most specific match is chosen. The following sections will 
describe the different commands that are available for creating and managing prefix lists. Finally the 
section 5.2.7.2.4 "How the System Filters Traffic by Prefix List" will give on overview on how the filtering is 
done when using prefix lists. 


5.2.7.2.1 Prefix List Creation 


To create a prefix list, use the ip prefix-—list command, beginning in global configuration mode: 


CLI (configure)> ip prefix-list <list-name> { deny | permit } 
<network>/<len> [ge <ge-value>] [le <le-value>] 
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It creates a prefix list with the name specified for l1ist-name. The optional keywords ge (= greater or 
equal) and le (= less or equal) can be used to specify the range of the prefix length to be matched for 
prefixes that are more specific than network/length. An exact match is assumed when neither ge nor le is 
specified. The range is assumed to be from ge-value to 32 if only the ge attribute is specified, and from 
len to le-value if only the 1e attribute is specified. 


A specified ge—value and/or le-value must satisfy the following condition: 





len < ge-value <= le-value <= 32 


To create a prefix list you must enter at least one permit or deny clause. 
To remove a prefix list and all of its entries, use the following command in global configuration mode: 
CLI (configure)> no ip prefix-list <list-name> [{ deny | permit } 
<network>/<len> [ge <ge-value>] [le <le-value>]] 
It removes the prefix list with the name specified for List-name. 
For example, to deny all prefixes matching /24 in 128.0.0.0/8, you would use: 
CLI (configure)> ip prefix-list foo deny 128.0.0.0/8 ge 24 le 24 


5.2.7.2.2 | Showing Prefix Entries 
To display information about prefix tables, prefix table entries, the policy associated with a node, or specific 
information about an entry, use the following commands, beginning in global mode. 


To display information about all prefix lists: 


CLI> show ip prefix-list [detail | summary ] 


To display a table showing the entries in a prefix list: 


CLI> show ip prefix-list <name> [detail | summary] 


To display the policy associated with the node: 


CLI> show ip prefix-list <name> [<network>/<len>] 


To display all entries of a prefix list that are more specific than the given network and length: 


CLI> show ip prefix-list <name> [<network>/<len>] longer 


To display the entry of a prefix list that matches the given prefix (network and length of prefix): 


CLI> show ip prefix-list <name> [<network>/<len>] first-match 
5.2.7.2.3. Clearing the Hit Count Table of Prefix List Entries 


To clear the hit count table of prefix list entries, use the next command, beginning in global mode: 


CLI> clear ip prefix-list <name> [<network>/<len>] 


It clears the hit count table of the prefix list entries. 
5.2.7.2.4 How the System Filters Traffic by Prefix List 


Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there 
is a match, the route is used. More specifically, whether a prefix is permitted or denied is based upon the 
following rules: 


e Anempty prefix list permits all prefixes. 
e Animplicit-deny is assumed if a given prefix does not match any entries of a prefix list. 
e When multiple entries of a prefix list match a given prefix, the longest, most specific match is chosen. 


The router begins the search at the top of the prefix list. Once a match or deny occurs, the router does not 
need to go through the rest of the prefix list. 
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Filtering can be handled on the level of routing information and from different sources. To do that, several 
mechanisms are detailed in the following sections. 

5.2.7.3 Distribute-Lists 


Distribute-list controls the received/sent routes advertised via RIP. First, you must create an access- 
list/prefix-list as defined in the previous sections. Then, you can specify the distribute-list that is applied on 
all interfaces or on the specified interface. Please refer to 5.2.10. 


5.2.7.4 Route Maps 


To define a route map use the following command, beginning from the global configuration terminal: 


CLI (configure)> route-map <map-tag> { permit | deny } <sequence-number> 
CLI (config-route-map) > 





map-tag Is a string identifying the route map. 


sequence-number is an integer indicating the relative position compared to other instances that define 
the route-map. When RIP applies a route-map instance to routing advertisements, it applies the lowest 
instance first. If the set of conditions is not met the next instance is used and so on until either a condition 
is met or there is no more condition to apply. We generally use 10 as sequence number when creating the 
route map and use increments of 10 for the following route map sequence, so that you can insert easily 
other route map instances between already configured instances. 


Conditions are expressed using the match command that is defined as follows: 


CLI (config-route-map)> match ip { address | next—-hop } 
{ <access-list-number> 
| prefix-list <prefix-list-name> } 


When using the address keyword, the match clause applies the access/prefix list to the advertised 
network. When using the next-hop keyword, the match clause applies the access/prefix list to the next- 
hop of the advertised network. 


You can modify the metric of matching advertisements (only supported for BGP): 


CLI (config-route-map)> set metric <+-metric> 


To add a specific offset value to the metrics learnt via a specified interface, use the following command in 
interface configuration mode. Refer to the "Example" of "Backup using Route Monitoring (Dialer Watch- 
List)" section in "Activity Control of Backup & Switched Interfaces" chapter of "OneOS — WAN User Guide" 
document. 


CLI> configure terminal 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip metric <offset> 





Use the following command, in global mode, to display the configuration of route maps: 


CLI> show route-map [<map-tag>] 


5.2.8 Triggered RIP 


When there is a change in the route database, it can be desirable to advertise immediately the change to 
the network. For example, a router with an ISDN backup can announce in this way, that an ISDN backup 
has been setup and remote routers update more rapidly their routing tables. 


Triggered RIP enables RIP to send updates only when changes appear in the route database thus 
preventing unnecessary advertisements of routing updates on links, which are charged for usage time. The 
command is the following: 
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CLI (configure)> router rip 
CLI (router-rip)> trigger-interface { bri <slot>/<port>.<id> 
| dialer <id> 
| dialer-mlppp <id> 
| dot1ilradio <slot>/<port>.<id> 
| isdn <slot>/<port>.<id> 
| 12tunnel <id> 
| serial <slot>/<port>.<id> } 


Triggered RIP is available only on the listed interfaces. 
5.2.9 Administrative Distance 


The administrative distance defines the preference for routes that are learnt via different routing protocols. 
By default, RIP has an administrative distance of 120. To modify this distance, use: 


CLI (router-rip)> distance <1..255> 


Use the following command to reset the default distance: 


CLI (router-rip)> no distance 
5.2.10 RIP Update Filtering 


RIP update filtering enables the router to select route prefixes that are advertised globally and/or per 
interfaces. The command is the following: 


CLI (router-rip)> distribute-list { <acl-name> | prefix <list-—name> 
[gateway <list-name>] } { in | out } [<interface> <unit>] 


If access lists are used they are standard access lists. When prefix lists are used, the optional argument 
gateway gives the name of the prefix list to be applied to the gateway of the prefix being updated. 


For incoming updates, the filtering is applied first per interface, then globally. For outgoing updates, the 
global distribute-list is applied first, then per interface. If optional arguments are not provided, the filtering 
applies to all updates (either incoming or outgoing). 


Example 1: Outgoing Update Filtering 
We only want to advertise networks included in 20.1.0.0/16 on FastEthernet 0/0 interface. 


ip access-list standard out_rip_acl 

permit 20.1.0.0 0.0.255.255 

exit 

router rip 

distribute-list out_rip_acl out fastethernet 0/0 
exit 


Example 2: Incoming Update Filtering 
We accept all networks except 10.20.2.0/24 on the FastEthernet 0/0 interface. 


ip access-list standard in_rip_acl 

deny 10.20.2.0 0.0.0.255 

permit any 

exit 

router rip 

distribute-list in_rip_acl in fastethernet 0/0 
exit 


Example 3: Incoming Update filtering using Prefix List 


We accept only prefixes with lengths of /8 coming from 10.10.10.1 address only. 


ip prefix-list length_8_list permit 0.0.0.0/0 ge 8 le 8 

ip prefix-list allow_list permit 10.10.10.1/32 

router rip 

distribute-list prefix length_8_list gateway allow_list in 
exit 
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5.2.11 Disabling update source IP address validation 


By default, the router checks if IP source address of incoming updates belongs to the specified networks in 
RIP. If not, routing updates will not be advertised to, nor received from the interfaces. Use the following 
command in router configuration mode to disable this checking. 


CLI (router-rip)> no validate—update-source 


Use the following command to make the router validate again update source IP addresses. 





CLI (router-rip)> validate-—update-source 
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5.3 RIP CONFIGURATION EXAMPLE 


Routers "mozart" and "bach" both have an interface connected to network 20.1.1.0/24. To exchange 
routing information between the two routers using RIPv2: 


192.168.2.0 20.1.1.0 10.1.2.0 





















































mozart 



















10.1.2.48 





192.168.2.88 20.1.1.88 





20.1.1.48 








For router bach, the configuration commands are as follows: 


configure terminal 
router rip 
network 10.0.0.0 
network 20.0.0.0 
exit 


To display current routes: 


CLI> show ip route 
Codes: C connected, S static, R RIP, O OSPF, B eBGP, b iBGP, o other 


C 0.0.0.1/32 is directly connected, Null 0 

C 10.1.2.0/24 is directly connected, Ethernet 0/0 

C 20.1.1.0/24 is directly connected, FastEthernet 0/0 
C 127.0.0.1/32 is directly connected, Loopback 0 

R 192.168.2.0/24 via 20.1.1.88, FastEthernet 0/0 


For router mozart, the configuration commands are as follows: 


configure terminal 
router rip 
network 192.168.2.0 
network 20.0.0.0 
exit 


To display mozart routes: 


CLI> show ip route 
Codes: C connected, S static, R RIP, O OSPF, B eBGP, b iBGP, o other 


C 0.0.0.1/32 is directly connected, Null 0 

R 10.1.2.0/24 via 20.1.1.48, FastEthernet 0/0 

C 20.1.1.0/24 is directly connected, FastEthernet 0/0 
127.0.0.1/32 is directly connected, Loopback 0 


c 
C 192.168.2.0/24 is directly connected, Ethernet 0/0 
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5.4 RIP STATISTICS 


The following command displays the parameters and current state of the active routing protocol process: 


CLI> show ip protocols 


This command does not have parameters or keywords. The information displayed by this command is 
useful in debugging routing operations. The following is sample output from the show ip protocols 


command: 


show ip protocols 

Routing Protocol is RIP 

Sending updates every 30 seconds, next due in 13 seconds 
Invalid after 180 seconds, flushed after 300 
Redistributing: RIP 

Default version control: send version 2, receive version 2 
Interface Send Recv Key-chain 

Ethernet 0/0 2 2 

FastEthernet 0/0 2 2 

Routing for Networks: 

20.0.0.0 

10.0.0.0 


The show ip rip database command displays RIP routing database entries: 


CLI> show ip rip database [<destination>] [<netmask>] 


Invoked without parameters, the command will display all routing entries in the database. The following is 


sample output from the 'show ip rip database’ command: 


show ip rip database 192.168.2.0 255.255.255.0 
192.168.2.0/24 
[2] via 20.1.1.88, 00:00:16, 


show ip rip database 

192.168.2.0/24 

[2] via 20.1.1.88, 00:00:22, 

10.1.2.0/24 directly connected, Ethernet 0/0 
20.1.1.0/24 directly connected, FastEthernet 0/0 


The following command displays the number of RIP messages sent and received on an interface involved 


in the RIP routing process: 


CLI> show ip rip interface [<type> <unit>] 


Invoked without parameters, the command will display statistics for all the interfaces involved in the RIP 


routing process. The following is sample output from the ‘show ip rip interface' command: 


show ip rip interface ethernet 0/0 
IN: 0 packets, 0 discards, 0 bad routes 

OUT: 124 packets 

show ip rip interface 

Ethernet 0/0 

IN: 0 packets, 0 discards, 0 bad routes 
OUT: 125 packets 

FastEthernet 0/0 

IN: 121 packets, 0 discards, 0 bad routes 
OUT: 124 packets 


The following command displays the total number of messages sent and received on all the interfaces 


involved in the RIP routing process: 


CLI> show ip rip statistics 


This command does not have parameters or keywords. The following is sample output from the command: 


show ip rip statistics 

IN: 130 packets, 0 discards, 0 bad routes 
OUT: 265 packets, 1 responses to queries 
3 route database changes 
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5. 


5 


RIP DEBUG AND TRACE 


The following command enables logging of RIP routing transactions: 


CLI> debug ip rip events 


The following is a sample of output from that commana: 


16:22:42.599: 
16:22:42.599: 
16:22:42.600: 
16:22:42.600: 
L6322.3'53::6723 


RIP: 
RIP: 
RIP: 
RIP: 
RIP: 


sending v2 RESPONSE to 224.0. 
sending v2 RESPONSE to 224.0. 
received v2 RESPONSE from 10. 
received v2 RESPONSE from 20. 
received v2 RESPONSE from 20. 


rPRROO 


FPRNWwo 


via Ethernet 0/0 (10.1.2.48) 


via FastEthernet 0/0 (20.1.1.48) 


-48 on Ethernet 0/0 
-48 on FastEthernet 0/0 
-88 on FastEthernet 0/0 


Use the no form of this command to disable RIP routing transaction logging. 


The following command enables logging of RIP routing database changes. 


CLI> debug ip rip database 


The following is a sample of output from that command: 


16:24:45.461: 
16:24:45.461: 
16:24:45.464: 


RIP-DB: 
RIP-DB: 
RIP-DB: 


adding route to 20.0.0.0/8 through 20.1.1.48 
adding route to 20.1.1.0/24 through 20.1.1.48 
adding route to 192.168.2.0/24 through 20.1.1.88 


The no form of this command disables logging of RIP routing database changes. 
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6 


BORDER GATEWAY PROTOCOL (BGP-4) 





6. 


1 


INTRODUCTION TO BGP 


The Border Gateway Protocol (BGP) is an intelligent IP routing protocol that dynamically learns routing 
paths, builds/updates forwarding tables and selects the best path when forwarding packets between 
autonomous systems that compose the Internet (an autonomous system is a collection of networks that 
are managed by a single administrative authority). It has become the de-facto standard for inter domain 
routing protocol and has been deployed to overcome significant scalability limitations and stability issues 
experienced with former protocols. Customer networks, such as corporations, governmental agencies, 
usually employ an Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing 
information within their networks and to connect to the Internet through ISPs. When BGP is used between 
autonomous systems (AS), the protocol is referred to as External BGP (eBGP) where the use of BGP to 
exchange routes within an AS is referred to as Interior BGP (iBGP; iBGP is also an IGP). 


To achieve a high level of robustness and scalability, BGP uses several routing update attributes, to select 
the best path(s) and maintain a stable routing environment. 


Classless inter domain routing (CIDR) is used by BGP to reduce the size of the Internet routing tables. 


Full routing information is exchanged between BGP neighbors only when the TCP connection is first 
established between them. When changes to the routing table are detected, the BGP routers send to their 
neighbors only those routes that have changed, which makes the BGP routing protocol stable and well 
suited for environment when a large number of routes must be managed. Each BGP router advertises 
routing updates to their neighbors, which in turn can be filtered to optimize routing information distribution 
(routes are always advertised; this behavior cannot be modified). 
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6. 


6.2.1 


6.2.1.1 


2 


BGP CONFIGURATION 


a) There are many options for BGP configuration. However, few steps are mandatory. They are: 
e BGP routing activation 
e BGP neighbor configuration 


b) Each routing update contains path information as well as some additional attributes that are used during 
BGP route selection process. You may want to force preference of certain paths. To achieve this goal, the 
solution is to select and filter routing updates and to modify the attributes of these filtered routing updates 
in order to influence the best path selection process. 


c) The powerful design of BGP enables a flexible filtering of inbound and outbound updates using a large 
variety of criteria. The rules for filtering are known as routing policies and use several types of filtering: 


o © By AS path filters (all routing updates contain a string, which is an aggregate of all traversed 
AS. AS path filters are filtering rules for the selection of routes traversing certain AS) 


o By prefix lists (routes filtered based on the prefix list) 
o By access lists 


The filtering and specific attribute modification is then handled in route maps. The so-called “distribute-list" 
enables the filtering of inbound and outbound updates. 


When applying a new routing policy, it becomes possible that some information stored in the BGP router 
becomes deprecated. This is because the new routing policy will not allow these routing updates to be 
received / emitted. Therefore, it becomes necessary to apply BGP connection resets. 


d) As BGP is an Exterior Gateway protocol, it is designed to scale on large networks. BGP routers may 
have to process large routing tables. Some BGP optimizations (such as flap dampening and route 
aggregation) can help in significantly reducing the amount of resources required by BGP. 


Required BGP Configuration Steps 


The tasks in this section are for basic BGP feature configuration. 


Enabling BGP Routing 


To enable BGP routing, use the following command in global configuration mode: 
CLI (configure)> router bgp <autonomous-system> [vwrf <vrf-name>] 
CLI (config-router) > 
The autonomous-systenm is an integer value, uniquely designating the AS. The vrf-name is optional. If 
not provided the default VRF is used. 
The above command creates a BGP routing process. The CLI enters in router configuration mode. 


The following command in router configuration mode sets a network as local to this autonomous system. In 
other words, this network is de-facto entered into the BGP database. A route-map is applied when you 
need to apply some filtering (see 6.2.3.3.3 for route-maps). 


CLI (config-router)> network <network>/<len> [route-map <name>] 
Unlike in some other BGP implementations, a network is advertised even if it is not present in the IP 
routing table. 
Use the following command to remove the network: 


CLI (config-router)> no network <network>/<len> 
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6.2.1.2. BGP Neighbor Configuration 


As in any EGP protocol, a BGP router must have its neighbors declared. This task is required. 


BGP neighbors are either internal or external. If a neighbor is internal, the router uses the Interior BGP 
protocol and the neighbor is in the same AS. Otherwise, the router is external and managed in a different 
AS. 


To configure BGP neighbors, use the following command in router configuration mode: 
CLI (config-router)> neighbor <ip-address> 


CLI (config-router-neighbor) > 


The above command selects the neighbor for which the configuration is to be entered. The CLI enters in 
neighbor configuration mode. Refer to 6.2.1.5 for the neighbor configuration commands. 


6.2.1.3. BGP Peer Group Creation 


A BGP router is usually connected to multiple neighbor routers. In most cases, you may want to apply a 
common set of routing policies to these BGP peers. For that purpose, OneOS supports the creation of 
peer groups. Peer groups collect routing policies for a set of BGP peers. So, whenever you need to 
change a policy for each peers of the BGP router, you only need to do it once, in peer-group configuration. 
It is comparable with the concept of PPP virtual template. 


The only difference is that you can override parameters defined in peer-group configuration in neighbor 
configuration. By default, neighbors member of the peer-group inherit the peer-group parameters unless 
re-configured in neighbor configuration. 


The configuration of peer groups is achieved in three steps: 
1. Peer Group Creation 
2. Assignment of routing policy options 


3. Definition of neighbors, which are member of the peer group 


A BGP peer group is created as follows in router configuration mode: 
CLI (config-router)> [no] peer-group <peer-group-name> 


CLI (config-router-group) > 


The above command selects the peer group for which the configuration is to be entered. The CLI enters in 
peer group configuration mode. Refer to 6.2.1.5 for the peer group configuration commands. 


6.2.1.4 | Neighbor Membership Configuration in a Peer Group 


Once you have created the peer group and some associated parameters, return to the router configuration 
mode, select a neighbor and enter the peer group name, which the neighbor belongs to: 


CLI (config-router-group)> exit 
CLI (config-router)> neighbor <ip-address> 
CLI (config-router-neighbor)> [no] peer-group <peer-group-—name> 





Use the no form of the command to remove the peer group membership. 
6.2.1.5 | Assignment of Routing Policies and Attributes 


The same routing attributes and filters are provided in neighbor configuration mode and in peer group 
configuration mode. 


Note: in this chapter the prompt config-router-xxx stands for config-router-neighbor and 
config-router-group. The first command is mandatory (others are not, default values can apply). 


To specify a BGP neighbor, use the following command in neighbor / peer-group configuration mode: 


CLI (config-router-xxx)> [no] remote-as <number> 
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Use the no form of the command to remove the neighbor. 


To associate a description with a neighbor / peer-group, use the following command: 


CLI (config-router-xxx)> description <text> 


Use the following command to remove the description: 





CLI (config-router-xxx)> no description 


To allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor / peer-group for 
use as a default route, use the following command: 


CLI (config-router-xxx) > default-originate [route-map <map-—name>] 


Use the following command to remove the default route: 





CLI (config-router-xxx)> no default-originate [route-map] 


To specify that the COMMUNITIES attribute is to be sent to the neighbor / peer group at this IP address, 
use the following command: 


CLI (config-router-xxx)> [no] send-community 


Use the no form of the command to stop sending the COMMUNITIES attribute. 


To allow internal BGP sessions to source BGP TCP connections with the IP address of a specified 
operational interface, use the following command: 


CLI (config-router-xxx) > update-source <interface-type/unit> 


Use the following command to come back to the best local address (the closest): 





CLI (config-router-xxx)> no update-source 


To allow BGP sessions, even when the neighbor / peer group is not on a directly connected segment, use 
the following command. Use the optional parameter to limit the maximum hop count to be taken into 
account (default value is 1): 


CLI (config-router-xxx)> ebgp-multihop [<max-hop-count:1-255>] 


Use the following command to come back to the default behavior (1 hop): 


CLI (config-router-xxx)> no ebgp-multihop 


To limit the number of prefixes allowed from a neighbor / peer-group, use the following command. When 
the maximum number of prefixes is exceeded the neighbor / peer-group is disconnected, unless the 
optional warning-only parameter is used that allows exceeding the maximum number of prefix; a log 
message is then generated. 


CLI (config-router-xxx) > maximum-prefix <number> [warning-only] 


Use the following command to remove the limitation: 





CLI (config-router-xxx)> no maximum-prefix [warning-only] 


BGP uses the AS path to discover routing loops. In some network topologies, access routers exchange 
routing information via iBGP (in the same AS), but communicate through a backbone routing domain with a 
different AS number. Routing updates coming from the remote access routers have AS paths formed as 
follows: AS (customer) , AS (backbone). Such received update is normally dropped, because an update 
for an intra-AS route is learnt via another AS. By default, no loop is permitted. The following command 
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permits loops by providing the number of times the router's own AS number can appear in the AS path of 
received updates (value is between 1 and 10; default value is 3). 


CLI (config-router-xxx)> allowas-in [<nb-of-loops>] 


Use the following command to come back to default behavior (no loop allowed): 





CLI (config-router-xxx)> no allowas-in 


To apply a route map to incoming or outgoing routes: 


CLI (config-router-xxx)> [no] route-map <map-name> { in | out } 


Use the no form of the command to remove the route-map. 


Use the following command to finalize the neighbor / peer-group configuration and return to BGP router 
configuration mode: 


CLI (config-router-xxx)> exit 
CLI (config-router) > 





Note: there are additional parameters available. Please refer to following chapters for their configuration. 
6.2.1.6 Disabling a Peer or Peer Group 


To disable an existing BGP neighbor or a peer group, use the shutdown command in neighbor or peer 
group configuration mode: 


CLI (config-router-xxx) > shutdown 


To re-enable the neighbor or peer-group, use: 


CLI (config-router-xxx)> no shutdown 


6.2.2 Additional BGP Configuration Steps 
6.2.2.1. Configuring TCP MD5 signature option for BGP sessions 


This TCP extension described in RFC 2385 allows protecting BGP sessions against spoofing attacks by 
including an MD5 digest acting as a signature in every TCP segment of a session. 


To enable this option for a BGP neighbor, use the following command in neighbor configuration mode or in 
peer-group configuration mode: 


CLI (config-router-xxx)> password <password> [<0-1>] 
Where password is a character string representing the clear text or encrypted password. The optional 
parameter specifies if the clear text password should be encrypted (0) or if the password string represents 


the encrypted password (1). If the optional argument is not provided, the password remains stored in the 
configuration in clear text. 


To disable this option use the following command: 


CLI (config-router-xxx)> no password 


Use the following command to see if this option is enabled for a given neighbor: 





CLI> show ip bgp neighbors 192.168.2.2 
BGP neighbor is 192.168.2.2, remote AS 200, local AS 1, external link 
Member of peer-group bulls for session parameters 
BGP version 4, remote router ID 98.0.0.1 
TCP MD5 signature option is set for this neighbor 
BGP state = Established, up for 03:00:01 
Last read 00:00:01, hold time is 180, keepalive interval is 60 seconds 
Neighbor capabilities: 
Route refresh: advertised and received (old and new) 
Address family IPv4 Unicast: advertised and received 
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Received 184 messages, 0 notifications, 0 in queue 
Sent 184 messages, 0 notifications, 0 in queue 

Route refresh request: received 0, sent 0 

Minimum time between advertisement runs is 30 seconds 


For address family: IPv4 Unicast 
bulls peer-group member 
1 accepted prefixes 


Connections established 1; dropped 0 
Local host: 192.168.2.1, Local port: 1026 
Foreign host: 192.168.2.2, Foreign port: 179 
Nexthop: 192.168.2.1 
Read thread: on Write thread: off 


The following command provides information about the number of TCP segments sent and received with 
the TCP MD5 signature option set. 


CLI> show tcp statistics 
TCP statistics: 
IN: 4679 total 
0 checksum error, 0 bad offset, 0 too short 
3147 packets (37045 bytes) in sequence 
0 dup packets (0 bytes) 
partially dup packets (0 bytes) 
out-of-order packets (0 bytes) 
packets (0 bytes) with data after window 
packets after close 
window probe packets, 2 window update packets 
0 dup ack packets, 0 ack packets with unsend data 
3164 ack packets (39070 bytes) 
194 md5 packets, O invalid md5 
OUT: 4857 total, 0 urgent packets 
3 control packets 
3162 data packets (39068 bytes) 
0 data packets (0 bytes) retransmitted 
1692 ack only packets (915 delayed) 
0 window probe packets, 0 window update packets 
373 md5 packets 
6 connections established (including 3 initiated, 3 accepted) 
8 connections closed (including 0 dropped, 0 embryonic dropped) 
0 total rxmt timeout, 0 connections dropped in rxmt timeout 
291 keepalive timeout, 0 keepalive probe, 0 connections dropped in keepalive 


oo 0: 0'O 


6.2.2.2 Load Sharing 


By default, BGP tries to select the best path for a route to a network by using several selection criteria. 
They are, in order of priority: 
1. Prefer the highest weight 
Prefer the highest local preference 
Prefer the shortest AS path 
Prefer routes whose origin is IGP over EGP. Prefer EGP over Incomplete origin 
Prefer the lowest MED 


oa Fw DN 


Routes learnt via BGP are indicated via a next-hop. The metric of the routes to the different 
next hop are compared; the lowest metric is preferred. 


If at this stage of the path selection algorithm, some routes are considered equal, they can be all installed 
in the routing table, only if load sharing is enabled. To activate load sharing with BGP, the maximum 
number of equal routes must be entered; default: 1, maximum: 6. 


CLI (config-router) > maximum-paths <nb-of-routes> 
nb-of-routes designates the maximum number of equal routes that are allowed to be transmitted to the 


routing table. Load sharing is managed with BGP routes like static routes (see "Static Routes" section in 
"|Pv4 Features" chapter of "OneOS — Basic IP User Guide" document). 


It is also possible to set the same priority to eBGP and iBGP routes so as to apply the load sharing among 
the various routes in the BGP router. To activate load sharing with eBGP and iBGP, the maximum number 
of equal routes must be entered; default: 1, maximum: 6. 
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CLI (config-router) > maximum-paths eibgp <nb-of-routes> 


Use the no form of the command to deactivate load sharing with BGP. 


CLI (config-router)> no maximum-paths 
6.2.2.3 Backdoor Routes 
A backdoor route is a special network that the BGP router should use for routing, but the router should not 


advertise the route. A backdoor route is entered as follows in router configuration mode: 


CLI (config-router)> network <network>/<len> backdoor 
6.2.2.4 Administrative Distance 
The administrative distance defines the preference for routes that are learnt via different routing protocols. 


To modify the distance values, use the following command in router configuration mode: 


CLI (config-router)> distance bgp <ebgp> <ibgp> <local> 


Where: 

ebgp is the administrative distance for routes learnt via eBGP. Default: 20. 

ibgp is the administrative distance for routes learnt via iBGP. Default: 200. 

local is the distance for routes advertised using the network command. Default: 200. 
Use the following command to come back to default distances: 


CLI (config-router)> no distance bgp 
6.2.2.5 Route Redistribution 


Route redistribution is an alternative to the network command to advertise networks using BGP. It 
consists in injecting connected, static or IGP routes into BGP database. The injected routes are advertised 
whenever BGP scans its database (periodical process). To advertise directly connected network routes via 
BGP, run the following command in router configuration mode: 


CLI (config-router)> [no] redistribute connected [metric <metric>] 
[route-map <name>] 
To advertise static routes via BGP, run the command: 
CLI (config-router)> [no] redistribute static [metric <metric>] 
[route-map <name>] 
To advertise routes learned through an external protocol via BGP, run the command: 
CLI (config-router)> [no] redistribute { rip | ospf } [metric <metric>] 
[route-map <name>] 
metric argument is the metric used to advertise the redistributed routes. name permits the filtering of 
certain routes. See 6.2.3.3.3 for details on route maps. 


Use the no form of the commands to remove route redistribution. 
6.2.2.6 Modification of BGP Routing 
6.2.2.6.1 Disabling AS Path Comparison 


RFC 1771 (the IETF document defining BGP) recommends the use of the "tie-breaker" decision algorithm, 
which does not include AS-path as part of the decision process. By default, OneOS software considers the 
AS-path as a part of the decision algorithm. 


The following command makes it possible to modify the decision algorithm, so that the router does not 
consider AS-path during the decision process, thus making the router compliant with the IETF 
recommendation. To prevent the router from considering the AS-path length when selecting a route, use 
the following command in router configuration mode: 
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CLI (config-router)> [no] bgp bestpath as-path ignore 


Use the no form of the commands to include again AS-path as part of the decision process. 
6.2.2.6.2 Configuration of Default Local Preference 


The local preference is an attribute part of the BGP routing decision process. By default, the local 
preference is 100. To set a different default local preference, use the following command in router 
configuration mode: 


CLI (config-router)> [no] bgp default local-preference <value> 


The lower value is, the lower the preference is. 
Use the no form of the commands to come back to the default local preference. 


You can also use route maps to change the default local preference for specific paths in route map 
configuration mode: 


CLI (config-route-map)> set local-preference 
6.2.2.6.3 Disabling Default Next-Hop Processing 


Routers can receive routing updates, for which the next-hop router to be used is unknown. This happens 
when the network is not fully meshed (FR, ATM networks). The solution is to substitute the next-hop router 
address by a router that can be directly reached by the router (an adjacent router). There are two ways to 
manage this next-hop processing: 


e Provide a specific address to be used instead of the next-hop address (manually configuring each 
address). 


e Use a route map to specify that the address of the remote peer for matching inbound routes, or the 
local router for matching outbound routes (automatic method). 


6.2.2.6.3.1 Next-Hop Setting Using Self Address 


To disable next-hop processing and provide a specific address to be used instead of the next-hop address, 
use the following commands in neighbor or peer-group configuration mode: 


CLI (config-router-xxx)> [no] next—-hop-self 
Using this command disables next-hop processing on BGP updates to a neighbor; the router is forced to 


advertise updates with its peering address instead of the router address specified in its database. In other 
words, routers receiving this route update use the current router as next hop for that received route. 


Use the no form of the command to re-enable next-hop processing. 
6.2.2.6.3.2 | Next-Hop Setting Using a Route Map 
To configure the neighbor peering address to be used for the next hop address, use the following 


command in route map configuration mode: 


CLI (config-route-map)> set ip next—-hop <ip-address> 


Note: for further information about route maps, please refer to 6.2.3.3.3. 


With an inbound route map of a BGP peer, it sets the next hop of the matching routes to be the neighbor 
peering address, overriding any third-party next hops and allowing the same route map to be applied to 
multiple BGP peers to override third-party next hops. 


With an outbound route map of a BGP peer, it sets the next hop of the received address to the peering 
address of the local router, disabling the next hop calculation. 


The next hop must be an adjacent router. 


6.2.2.6.4 Multi Exit Discriminator Metric (MED) Configuration 
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BGP uses the Multi Exit Discriminator (MED) metric as a criterion to external neighbors about preferred 
paths. Use the following command in route map configuration mode: 


CLI (config-route-map)> set metric <number> 


The command sets the metric to the specified number for matching routes. 
6.2.2.6.4.1 Configuring the Router to Consider a Missing MED as Worst Path 
To configure the router to consider a path with a missing MED attribute as the worst path, use the following 
command in router configuration mode: 
CLI (config-router)> [no] bgp bestpath med missing-as-—worst 
The command configures the router to consider a missing MED as having a value of infinity, making the 
path without a MED-value the least desirable path. 


The no form of the command re-enables the default behavior, i.e. the MED is considered as 0 (best path). 
6.2.2.6.4.2 | Path Selection Based on MED from Other AS 


The route selection process compares (among other criteria) the MED of all different paths from the same 
AS. If you wish to enable MED comparison of paths received from any AS, use the following command in 
router configuration mode: 


CLI (config-router)> [no] bgp always-—compare-med 


Use the no form of the command to come back to default behavior (compare from the same AS). 
6.2.2.6.4.3 MED-Based Routing in Confederations 


The concept of AS confederation is later described in this document in section 6.2.4.2. To configure the 
router to consider the MED value when choosing a path in confederations, use the following command in 
router configuration mode: 


CLI (config-router)> [no] bgp bestpath med confed 
The above command configures the router to consider the MED in choosing a path from among those 
advertised by different sub-AS within a confederation. 
Use the no form of the command to come back to default behavior. 


The comparison between MED is only made if there are no external AS in the path (an external AS is an 
AS that is not within the confederation). If there is an external AS in the path, then the external MED is 
passed transparently through the confederation, and the comparison is not made. 


To configure the router to use the MED to select the best path among paths advertised by a single sub-AS 
within a confederation, use the following command in router configuration mode: 


CLI (config-router)> [no] bgp deterministic med 
The above command configures the router to compare the MED variable when choosing among routes 
advertised by different peers in the same autonomous system. 


Note that if bgp always-compare-med is enabled, all paths are fully comparable, including those from 
other AS's in the confederation, even if bgp deterministic medis also enabled. 


Use the no form of the command to come back to default behavior. 
6.2.2.6.5 Administrative Weight 


A weight is a number from 0 to 65535 used as a criterion for the route selection process. The path with the 
highest weight is preferred. This attribute is local to the router. By default, any path originated by the router 
has a weight of 32768 (routes manually configured in neighbor or peer-group configuration mode), while 
others have a weight worth 0. 


To prefer certain routes learned from a neighbor or a peer-group and assign weights on a per-neighbor or 
per-peer-group basis, use the following command in neighbor or peer-group configuration mode: 
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CLI (config-router-xxx)> weight <weight> 


To restore default weight values: 

CLI (config-router-xxx)> no weight 
Alternatively, you can selectively set the weight attribute for updates matching a route map, beginning in 
route-map configuration mode: 

CLI (config-route-map) > set weight <weight> 


If weight is configured for both route maps and neighbors or peer-group, then the weight set in route map 
prevails over the weight defined in neighbor or peer-group configuration mode. 


6.2.2.7 BGP Timer Configuration 


BGP does not broadcast message to exchange routing information, instead BGP uses a connection- 
oriented communication protocol, based on TCP. Keepalive messages are sent on a periodical basis 
(keepalive period, default 60 sec) to test neighbor presence. If the peer does not respond after hold- 
time (default 180 sec), the peer is considered as unavailable. 


It should be noted that the hold-time value is negotiated between BGP peers, by taking the smallest of 
both peer hold-time values. To change keepalive and hold-time values globally to the router, use the 
following command in BGP router configuration mode: 


CLI (config-router)> timers bgp <keepalive> <hold-time> 


To restore default timers’ values, use the following command: 

CLI (config-router)> no timers bgp 
If you wish to adjust timers only for a specific neighbor (resp. peer group), enter in neighbor (resp. peer 
group) configuration mode and enter: 


CLI (config-router-xxx)> timers <keepalive> <hold-time> 


All values above are provided in seconds. 
Timers configured for a specific neighbor or peer group override timers configured for all BGP neighbors. 
To restore the default timers' values for a BGP neighbor or a peer group, use the following commands: 


CLI (config-router-xxx)> no timers 


6.2.3 Routing Policies 


In BGP, routing policies are implemented by using filters to control the level of routing information that is 
exchanged by an autonomous system with its neighbors. Filtering is handled by: 


e Route identification based on criteria settings to differentiate routes from each other. Such criteria can 
be based on the route IP prefix, the autonomous system from which the route was originated, an AS 
path or an attribute value inside a route. 


e Permitting or denying routes depends on the filtering rules that have been setup for that juncture. A 
permitted route is accepted without change or can be submitted for attributes modification to change 
its behavior. A denied route is simply discarded. 


e = Attribute modification for a permitted route can be done if it is necessary to change the decision 
process. 


The route filtering process will use the list of all defined criteria and will stop the process when a route 
matches filtering criteria. The order in which the criteria in the list are defined becomes very important. 


BGP inbound or outbound advertisements filtering can be handled in two ways: 


e  AS-path filters can be used, by means of the ip as-path access-list command in global 
configuration mode and the neighbor filter-list command 
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e Use access or prefix lists, by means of the distribute-list command in neighbor configuration 
mode. 


6.2.3.1 AS Path Filter Definition 


In addition to filtering routing updates based on network addresses, you can specify an access list filter on 
both incoming and outbound updates based on the BGP AS paths. Each filter is an access list based on 
regular expressions. 


Regular expressions (regexp) are based on “POSIX 1003.2” and enable you to search and filter strings 
within AS paths. To achieve such filtering, the regular expression matches the input string against a 
pattern. The pattern is composed of a combination of: 


e Characters: they must be matched exactly in the string. 


e Symbols (called atoms or pieces): they are not matched themselves. They provide a parameter to 
regexp for string search. 


Atoms: 

e "." Matches any character 

e "a" The match must be done at the beginning of the string 

e "gs" The match must be done at the end of the string 

e "\" Matches the character following '\' (useful to match characters normally used as atoms or pieces) 


e "“_" Matches a punctuation symbol ("," or "{" or "}"). When applied to AS path filtering, this means 
somewhere in the middle, the beginning or the end of the input string. ("_100_" matches a string 
where AS 100 is included as a transit AS) 


Pieces: 


e "*" Matches any following string, regardless of the preceding character ("*100.*" means the route is 
originated by AS 100) 


e "+" Matches string if there is at least one occurrence of the preceding character 


e "2" Matches if the preceding character is present in the string or no character is present at all. 
Example: "xy?z" matches "xyz" or "xz" but not "xaz" 


To do such filters, define an AS path access list and apply it to updates to and from particular neighbors. 
6.2.3.2 | Community List 


In the context of BGP a community is a group of destinations that share some common attributes. A 
community is not restricted to a network neither to an autonomous system. Communities are used to 
simplify routing policies by identifying routes based on a logical property instead of an IP prefix or an 
autonomous number. 


To manage communities BGP uses the COMMUNITIES attribute that can take a numeric value from 1 to 
4294967295 (or the same in the AA: NN format). A few community values have pre-defined names; they 
are described below (pre-defined names are case sensitive): 


o internet (0:0): advertise this route to Internet community. Note that all routers belong to it 
© no-export (65535:65281):no route advertising to eBGP peers 
© no-advertise (65535:65282):no route advertising to any peer 


o local-AS (65535:65283):no route advertising outside the local autonomous system 


Communities are a handy way to control how routing information is carried from peer to peer. To use 
communities you will need to define community lists using the following command: 


CLI (configure)> ip community-list <commun-list-number> { permit | deny } 
{ <1-4294967295> | <high-community-number>:<low-community-number> 
| local-as | internet | no-advertise | no-export } 
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Where community-list-number is a number ranging from 1 to 99 that identifies one or more 
permit/deny groups of communities (up to 4 community numbers can be entered in one command). 


6.2.3.3. Routing Policies Applied to Neighbors 
6.2.3.3.1 Route Filtering 


As we are dealing with network addresses this can be done by using distribute list filters based either on 
an access list or a prefix list and apply it to the updates received from a specific neighbor. 


To filter BGP routing updates, use the following command in neighbor / peer-group configuration mode: 


CLI (config-router-xxx) > distribute-list <acl-name> { in | out } 


Use the no form of the command to stop filtering BGP routing updates. 


The neighbor prefix-list router configuration command can be used as an alternative to the neighbor 
distribute-list router configuration command, but you cannot use both commands to configure the same 
BGP peer in any specific direction. These two commands are mutually exclusive, and only one command 
(neighbor prefix-list or neighbor distribute-list) can be applied for each inbound or outbound direction. 


Prefix-list use is defined in 5.2.7.2 and access-lists use for route filtering in 5.2.7.1. 
6.2.3.3.2 AS Path Filtering 


Filtering routes based on AS path information becomes very handy when filtering is needed for all routes 
for the same or multiple AS’s. Defining access lists based on patterns as described in 6.2.3.1 instead of 
using a long list of routes defined on a prefix basis is much more efficient. 


Path filtering configuration is done by submitting the following commands. 
Step 1: In global configuration mode, define a BGP-related access list. 
CLI (configure)> ip as-path access-list <acl-name> { permit | deny } 
<as-regular-expression> 
Step 2: In global configuration mode, enter in BGP router configuration mode. 


CLI (configure)> router bgp <autonomous-system> 


Step 3: In router configuration mode, enter in neighbor or peer group configuration mode. 


CLI (config-router)> neighbor <ip-address> 
CLI (config-router)> peer-group <name> 


Step 4: In neighbor or peer group configuration mode, establish the BGP filter. 


CLI (config-router-xxx)> filter-list <acl-name> { in | out } 


Use the no form of the command to stop filtering BGP routes. 
6.2.3.3.3 Route Map 


With BGP, route maps are used to control and modify routing information. They can also be used to filter 
specific routes and to define criteria by which routes are distributed between domains. 


To define a route map and enter in route map configuration mode, use the following command in global 
configuration mode: 


CLI (configure)> route-map <map-tag> { permit | deny } <sequence-number> 
CLI (config-route-map) > 





map-tag is a string identifying the route map. 


sequence-number is an integer indicating the relative position compared to other instances that define 
the route-map. 
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When BGP applies a route-map instance to routing updates, it applies the lowest instance first. If the set of 
conditions is not met, the next instance is used and so on until either a condition is met or there are no 
more conditions to apply. Conditions are expressed using the match command that is defined as follows: 





CLI (config-route-map)> match as-path <as-—path-access-list-—name> 
CLI (config-route-map) > match community <community-list-—number> 
[exact-match] 
CLI (config-route-map)> match ip { address | next—-hop } 
{ <access-list-—number> 
| prefix-list <prefix-list-—name> } 
CLI (config-route-map)> match metric <0-4294967295> 








Filtering updates as well as modifying attributes can be done on a per-neighbor basis by using route maps. 
AS path, network numbers and community matching can be used but in order to be effective, each 
requires a corresponding as-path access-list, access-list and community-list command. 
Route maps can be applied to both inbound (to accept route) or outbound updates. 


Once filtering criteria are defined, you may wish to modify routing attributes. 
The following command selects specific community to add or replace in routing updates. 


CLI (config-route-map) > set community { add | replace } { <1-4294967295> 
| <high-community-—number>:<low-community-number> 
| local-as | internet | no-advertise | no-export } 


The following command suppresses the community attribute. 


CLI (config-route-map) > set community none 


Use the following command to delete a community list: 


CLI (config-route-map)> set comm-list <1-99> delete 


Use the following command to force the next hop IP address: 


CLI (config-route-map) > set ip next-—-hop <ip-—address> 


Use the following command to change the default local preference: 


CLI (config-route-map)> set local-preference <0-4294967295> 


To set or increment/decrement the route metric: 





CLI (config-route-map)> set metric [+|-]<metric> 
To filter updates using a pre-defined route map use the following command when in neighbor or in peer- 
group configuration mode: 


CLI (configure-router-xxx) > route-map <route-map-name> { in | out } 


6.2.4 BGP Optimizations 


In this section, we described features, which help a network engineer in simplifying and enhancing device 
configuration and performance. 


6.2.4.1. Configuration of Aggregate Address 


Aggregate routes are supported to reduce the routing table size. If several routes are exchanged for nodes 
in the same address range, the set of addresses is aggregated if they are in the same sub-network 
(address and mask). The route to the network address is exchanged rather than each route to each node 
in order to reduce the number of exchanged routes. 


You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by 
using the conditional aggregation feature described below. An aggregate address will be added to the 
BGP table if there is at least one more specific entry in the BGP table. 


To allow the creation of address aggregates, use one or more of the following commands in router 
configuration mode. 
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Use the following command to create an aggregate entry in the BGP routing table. The router will advertise 
the prefix, which summarizes a number of more specific routes. The path information is lost and is the 
same as if the route was originated from the router AS. 


CLI (config-router)> [no] aggregate-address <network>/<len> 
Use the following command to avoid loosing the path information. The router will generate the autonomous 


system set path information and will advertise the prefix and the more specific routes and include as-set 
information in the path information of updates. 


CLI (config-router)> aggregate-address <network>/<len> as-set 


Use the following command to advertise summary addresses only. The router will advertise only the prefix, 
which summarizes a number of more specific routes and will suppress these more specific routes from 
updates. 


CLI (config-router)> aggregate-address <network>/<len> summary-only 
Use the following command to avoid loosing the path information and to advertise summary addresses 
only. 


CLI (config-router)> aggregate-address <network>/<len> as-set summary-only 
6.2.4.2 AS Confederation 


Routers in a carrier network can often be managed in a single AS. However, BGP requires that all of the 
iBGP speakers (routers inside an AS) be fully meshed. This mesh may cause scalability issues, extra 
complexity and unnecessarily large routing tables. 


This problem can be circumvented using AS confederations. To reduce the mesh a large autonomous 
system (AS) is split in several sub-AS. All sub-AS are grouped into an AS confederation and the AS 
confederation is seen as a conventional AS by outside neighbor routers. 


Instead of a full mesh in AS confederation, routers inside the sub-AS are only connected with their eBGP 
neighbors and with all routers inside the sub-AS. The objective of reducing mesh complexity and routing 
table size is thus achieved. Even though routers inside an AS confederation use eBGP, routing information 
is exchanged as if they were iBGP neighbors, thus protecting routing attributes such as next-hop, MED 
and local preference. 


To configure a BGP confederation, you must specify a confederation identifier. External routers to the 
confederation interpret the group of autonomous systems as a single autonomous system with the 
confederation identifier representing the autonomous system number. 


To configure a BGP confederation identifier, use the following command in router configuration mode: 


CLI (config-router)> [no] bgp confederation identifier <autonomous-system> 


Use the no form of the above command to remove the BGP confederation identifier. 


In order to handle neighbors from other autonomous systems (within the confederation; up to 4) as eBGP 
peers (instead of iBGP neighbors), use the following command in router configuration mode to specify the 
autonomous systems that belong to the confederation: 


CLI (config-router)> bgp confederation peers <AS1> [<AS2> [<AS3> [<AS4>]]] 


Use the no form of the above command to remove peers from the confederation. 
6.2.4.3. Route Reflector Configuration 


Route reflectors are an alternative solution to the use of AS confederations. The objective remains 
identical, i.e. a reduction of the iBGP mesh. 


A reflector is a BGP router that redistributes between non-meshed routers, routes that should be learned 
via iBGP. 


The internal peers of the route reflector are divided into two groups: client peers and all the other routers in 
the autonomous system (non-client peers). A route reflector reflects routes between these two groups. 


The route reflector and its client peers form a cluster. The non-client peers must be fully meshed with each 
other, but the client peers need not be fully meshed. The clients in the cluster do not communicate with 
iBGP speakers outside their cluster. 
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When the route reflector receives an advertised route, the route advertisement is as follows: 
e A route from an external BGP speaker is advertised to all clients and non-client peers. 
e Aroute from a non-client peer is advertised to all clients. 

e A route from a client is advertised to all clients and non-client peers. 


To configure a route reflector and its clients, use the following command in neighbor configuration mode or 
in peer-group configuration mode: 


CLI (config-router-xxx)> [no] route-reflector-—client 


Use the no form of the above command to remove the route reflector. 


The above commands configure the local router as a BGP route reflector and the specified neighbor / 
peer-group as a Client. For failure resilience, several route reflectors can be declared to avoid the reflector 
being the most probable point of failure. If there are several route reflectors, they all have the same set of 
clients. 


To distinguish updates coming from several reflectors, use the following command in router configuration 
mode to assign a cluster ID for that router (you do not need to set this cluster ID when there is a single 
reflector). Cluster ID is entered as an IP address string. 


CLI (config-router)> [no] bgp cluster-id <IP-address> 


Use the no form of the above command to remove the cluster ID. 


When using route reflectors, clients are only required to be connected to the reflector(s). Clients do not 
need to be meshed. If they are, clients can exchange routes using iBGP, which are later advertised by the 
reflector(s). To avoid this unnecessary behavior, you can disable client-to-client reflection using the 
following command: 


CLI (config-router)> no bgp client-to-client reflection 


Use the following command to re-enable client-to-client reflection: 





CLI (config-router)> bgp client-to-client reflection 
6.2.4.4 Route Flap Dampening 


When using dynamic routing protocols, it becomes possible to advertise routes availability and 
unavailability, which enhances the robustness of routing. However, this also opens the door to undesirable 
effects, i.e. flapping routing. Flapping routes are unstable routes, which become up and down at an 
unacceptable pace. Therefore, the BGP protocol advertises the presence and disappearance of a route 
with poor quality. It yields to: 


e Packet loss and unnecessary routing: packets are routed to that path and get either lost or re-routed 
to an available path if the route turns out unavailable during packet transit. 


e Unnecessary overhead in managing routes: the route ups and downs generate BGP add/withdraw 
messages, which require bandwidth. 


BGP flap dampening is an optional algorithm within BGP that evaluates the route quality (by accounting 
route up and downs) and discards poor quality routes. This makes sure that this route is not further 
propagated by BGP. 


The route quality is evaluated as follows: a router with the "flap dampening" feature enabled notices that a 
route is flapping. The route is recorded in "history state" by the router as having a default penalty of 1,000. 
Whenever the route flaps again, a new penalty is added cumulatively. If the penalty reaches a threshold 
(suppress limit), the router stops advertising/redistributing this route. 


When not flapping during a half-life period (15 minutes by default), the penalty decreases by half. The 
penalty evaluation process takes place every 5 sec. The route can be re-used when the penalty is under 
the reuse limit. The max-suppress limit is the maximum time during which a route can be suppressed 
(default = 4 times half life). 


6.2.4.4.1 Enabling Route Dampening 


To enable BGP route dampening, use the following command in router configuration mode: 


CLI (config-router)> [no] bgp dampening 
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Use the no form of the command to disable BGP route dampening. 


To change the default values of various dampening factors, use the following command in router 
configuration mode: 





CLI (config-router)> [no] bgp dampening <half-life> [<reuse> <suppress> 
<max-suppress>] 


Use the no form of the command to come back to default values. 
6.2.4.4.2 BGP Flap Dampening Siatistics 


The following commands only apply to routes in the history state (i.e. flapping routes). Global flap statistics 
are given as follows: 


CLI> show ip bgp flap-statistics [vrf <vrf-name>] 


BGP flap statistics for paths matching the regular expression: 


CLI> show ip bgp flap-statistics regexp <regexp> [vwrf <vrf-name>] 


BGP flap statistics for paths matching the filter list: 


CLI> show ip bgp flap-statistics filter-list <list> [vwrf <vrf-name>] 


BGP flap statistics for routes matching exactly a network: 


CLI> show ip bgp flap-statistics prefix <network>/<len> [vrf <vrf-name>] 


BGP flap statistics for routes matching a network and associated sub-networks: 





CLI> show ip bgp flap-statistics prefix <network>/<len> longer-prefixes 
[vrf <vrf-name>] 


Display all dampened routes: 


CLI> show ip bgp dampened-paths [vrf <vrf-name>] 


You can reset BGP route dampening statistics and restore any suppressed routes by using the following 
command in global mode: 


CLI> clear ip bgp-dampening [<network>/<len>] 
6.2.4.5 Route summarization 


Route summarization is used to reduce the amount of routing information in routing tables. Automatic 
summarization is always active and cannot be de-activated. 
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6.3 BGP STATISTICS AND MANAGEMENT 


6.3.1 BGP SNMP Traps 


When a BGP neighbor connection is lost or goes up, a trap can be sent if an event manager is configured 
and if the following command is entered: 


CLI (configure)> [no] snmp traps bgp 
6.3.2 Connection Resets 


When a new policy takes effect, it is possible that the stored information has been depleted, as the new 
policy does allow different attributes and routes. To re-synchronize BGP peers, it becomes necessary to 
refresh the BGP routers. To do so, a connection reset forces BGP to retrieve/send all routing updates and 
apply the new policy. 


One could use hard reset, but this method has the disadvantage of losing all information from neighbors, 
therefore, it is recommended to use a soft reset instead. Soft reset may be applied for inbound updates 
coming from a neighbor and subsequent route re-advertisements. Soft reset is also applicable to outbound 
updates. 


6.3.2.1. Dynamic Inbound Soft Reset 
The route refresh capability must be supported by both peers. A dynamic inbound soft reset makes a soft 
reset of the inbound routing table. The command is as follows in global configuration mode: 
CLI> clear ip bgp { * | <as-number> | <ip-address> | external } soft in 
ip-address argument specifies the connection to be reset. as-number argument allows resetting 
connections for all the neighbors in a given autonomous system. Use the * keyword to specify that all 


connections be reset or the keyword external designating all external BGP peers to specify only eBGP 
connections. 


For a peer-group, use instead: 


CLI> clear ip bgp-peer-group <peer-group-name> soft in 
6.3.2.2 Outbound Soft Reset 


To perform an outbound soft reset, use the next command in global configuration mode: 


CLI> clear ip bgp { * | <as-number> | <ip-address> | external } soft out 


For a peer-group use instead: 





CLI> clear ip bgp-peer-group <peer-group-name> soft out 


The command arguments are the same as those for the Inbound Soft Reset. 
6.3.2.3 Soft Reset Configuration Using Stored Routing Policy Information 


If all of the BGP routers in the connection do not support the route refresh capability, use the soft reset 
method that generates a new set of inbound routing table updates from previously-stored information. To 
initiate storage of inbound routing table updates, you must first pre-configure the router using the neighbor 
/ peer-group soft-reconfiguration command. The clear ip bgp command initiates the soft reset, which 
generates a new set of inbound routing table updates using the stored information. 


Keep in mind that the memory requirements for storing the inbound update information can become quite 
large. To configure BGP soft reset using stored routing policy information, use the following command in 
neighbor / peer-group configuration mode: 
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CLI (config-router-xxx)> [no] soft-reconfiguration inbound 


This command resets the BGP session and initiates storage of inbound routing table updates from the 
specified neighbor / peer-group. From now on, a copy of the BGP routing table for the specified neighbor / 
peer-group is maintained on the router. 


Note: all members of the peer group will inherit the characteristic configured with this command. 


Use the no form of the command to stop storing received updates. 
6.3.2.4 | eBGP Connection Reset after Link Failure 


Normally, when a link between external neighbors goes down, the BGP session will not be reset 
immediately. If you want the eBGP session to be reset as soon as an interface goes down, use the 
following command in router configuration mode: 


CLI (config-router)> [no] bgp fast-external-—failover 


Use the no form of the command to not reset eBGP connections after link failure. 
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6.4 BGP STATISTICS 


The following command provides the routes matching the specified prefix: 


CLI> show ip bgp prefix <network>/<len> [vrf <vrf-name>] 


The following command displays all BGP routes that make use of CIDR routing: 





CLI> show ip bgp cidr-only [vrf <vrf-name>] 
The following command provides the routes permitted by the specified community. Use exact-match so 
that the route must have exactly this community attribute only (and no other communities). 
CLI> show ip bgp community <community-number> [exact-match] 
[vrf <vrf-name>] 
The following command provides the routes permitted by the specified community list. exact-match 
means the route must have exactly the same community list attribute only (and no other communities). 
CLI> show ip bgp community-list <community-list-name> [exact-—match] 
[vr£ <vrf-name>] 
The following command provides the route list matched by an access list: 


CLI> show ip bgp filter-list <access-list-name> [wrf <vrf-name>] 


The following command provides the route list matched by a regular expression: 


CLI> show ip bgp regexp <regexp> [vrf <vrf-name>] 


The following command provides the whole BGP routing table: 


CLI> show ip bgp [vrf <vrf-name>] 


The following command provides information related to neighbors (or to the specified neighbor): 


CLI> show ip bgp neighbors [<ip-address>] [vrf <vrf-name>] 


The following command provides details for BGP routes exchanged with neighbors: 


CLI> show ip bgp neighbors <ip-address> [received-routes 
routes 
| advertised-routes 
| dampened-routes] 
[vr£ <vrf-name>] 


The following command provides all BGP paths: 


CLI> show ip bgp paths [vrf <vrf-name>] 


The following command provides global, summarized information about BGP status. 


CLI> show ip bgp summary [vrf <vrf-name>] 
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7 


OPEN SHORTEST PATH FIRST PROTOCOL (OSPF) 





7. 


7.1. 


1 


OSPF INTRODUCTION AND FEATURES 


Like RIP, OSPF is an Interior Gateway Protocol in that it was specified to permit route exchange in a 
private network, typically a corporate network. The main difference with RIP is that routers running OSPF 
do not exchange routes but inform the other OSPF routers about the state of their interfaces and each 
OSPF router builds a topological database based on the information received from the other OSPF 
routers. Information about interface states is called LSA (Link State Advertisements). Using this 
information processed by the Dijkstra algorithm, a router will be able to build a shortest path tree to all 
destinations in the topological database. Based on this database, the router builds its routing table. When 
two neighboring routers have built their database and both databases are synchronized, they are called 
adjacent routers. 


OSPF was built with a two-level hierarchical design, dividing the whole network into areas. Area Border 
Routers are routers which own interfaces to two or more areas (ABR). An area topology is not visible from 
routers, which are not part of this area. This reduces the amount of information to send and store, thus 
enabling increased scalability compared with RIP. Area 0 is the top-level area and any other area must be 
connected to area 0 via at least one border router (ABR). All areas form what is called an Autonomous 
System (AS). Border Routers that are connected with networks using other routing protocols (BGP, RIP) 
are called Autonomous System Border Router (ASBR). Below is a typical architecture of a network. 





OSPF Autonomous System 


'Hello' messages are sent by an OSPF router to signal its availability to other routers. In a reverse way, the 
non-reception of ‘hello’ results in considering the router as unavailable. The 'hello' message is also used to 
elect the Designated Router (DR). The DR generates the LSA for the entire area, thus reducing the 
number of information to exchange. Also, a Backup DR (BDR) can be elected. 


Advantages of OSPF 


e Changes in the network are propagated quickly. 


e OSPF is more scalable than RIP for private networks. 
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OSPF supports VLSM (Variable Length Subnet Mask), RIP does not. 


After router initialization, OSPF only sends updates when changes in the network occur. If there is no 
link state change, the OSPF protocol is almost silent (only few ‘hello' messages = keep alive). 


The hierarchical design of OSPF enables to reduce the size of routing tables. 
Disadvantages of OSPF 


OSPF is processor-intensive as each router computes its own SPF tree and requires a lot of memory 
because multiple copies of the same information are kept in every OSPF router. This complexity 
increases exponentially with the size of the areas. 


When a link "flaps" (i.e. it goes up and down every few seconds), the network is flooded by updates 
(LSA) to advertise the new state of the flapping link. This is the trade-off with the fast OSPF 
convergence that requires any change be quickly advertised to the many area routers. (Note: BGP 
embeds a flap-dampening feature that assesses link quality and avoids such unnecessary 
advertisement.) 





7.2 


OSPF FEATURES 


The implementation complies with RFC 2328 (OSPF v2), allows the router to behave as Designated 
Router (DR) or Backup DR (BDR) on multi-access networks and supports the following options: 


Optional encrypted authentication: when an OSPF router communicates with neighbors, it can 
authenticate its message using a pre-defined password (transported in clear text). To enhance 
security, a digital signature may be included in the packet transporting the password to guarantee a 
keyed message authentication. The MD5 standard is used to generate the signature. 


Virtual Links: the concept of virtual link enables two OSPF routers to traverse an area. There are two 
scenarios requiring virtual links: 


o When two networks are merged, at least the area 0 must be merged as one. The routers of 
area 0 may not be directly connected. A virtual link enables the connection of the two parts of 
area 0. 


o When an area cannot be directly connected to area 0, a border router of the remote area is 
connected to a border router of area 0 through transit OSPF areas. 


Stub area: external routes are normally injected in OSPF areas by the ASBR as LSA type 5. Some 
areas can be flagged as a stub, when external routes must not be injected in the area by the area. 
This is often the case when an area only has one single point of exit and a default route is sufficient. 
This avoids the useless advertisement of routes in and outside the area, because IP packets should 
anyway be routed through the exit border router. All routers inside a stub area must be configured with 
the 'stub area’ option to allow adjacency of the routers. 


Not So Stubby Area (NSSA): stub areas are proven sometimes too restrictive. It is sometimes 
required to ignore advertisements from BGP but authorize those from RIP. In NSSA, OSPF routers 
filter out LSA of type 5 (in this example: those coming from BGP) but inject external routes as LSA 
type 7. 


Route summarization: this feature allows the aggregation of addresses, which is advertised in one 
route. This prevents the advertisement of multiple routes for the address aggregate. This feature 
should be activated in border routers to reduce the routing table sizes. 


RIP/BGP/Static/Default route redistribution: the routes learned by external mechanisms can be 
exported in OSPF advertisements. The cost equivalence is defined when activating such feature. 
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7.3 


7.3.1 


7.3.1.1 


OSPF CONFIGURATION 


Note: as of V4.3R2E2 software release, OSPF is only supported on the default VRF. 


For basic OSPF configuration, you only need to enable OSPF and declare the networks managed by this 
protocol (presented in the following section). Further parameters are all optional. 


Enabling OSPF 
On a Broadcast & Point-To-Point Network 


To enable OSPF process run the following command, starting in global configuration mode: 


CLI (configure)> router ospf 
CLI (config-router) > 


This brings the CLI in router configuration mode. 


To form adjacencies with other OSPF routers on a network, run the following command, starting in router 
configuration mode: 


CLI (config-router)> network <network>/<length> area <area-id> 


Where <network> is a network IP address, <length> is the length in bits of the network mask and 
<area-—id> is either a decimal value or an IP address. 


This will enable the sending of periodic 'hello' messages on all the interfaces of the router connected to the 
specified network. It is important that <length> matches exactly the mask length of the interface IP 
address. For instance, it should be 32 for a point-to-point interface. For such interface, the network must 
match the next-hop address (not the local one). 


The purpose of the 'hello' message is to establish and maintain neighbor relationships. It ensures that 
communication between neighbors is bi-directional. On broadcast and Non-Broadcast Multi-Access 
(NBMA) networks, it is also responsible for the election of the designated router. 


Example: 


interface Ethernet 0/0 
ip address 10.1.2.48 255.255.255.0 
exit 

interface atm 0 

driver ident 0 

max vp 3 

max vc 8 

range vp min 0 max 5 
range vc min 32 max 64 
execute 

exit 

gshds1l 

execute 

exit 

exit 

interface atm 0.1 

Pvc pppoa vpi 1 vci 49 
ip address 53.0.0.4 
ipecp static 
authentication pap 
username user9_0 
password oneaccess 
priority 7 

execute 
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exit 


exit 

router ospf 

network 10.1.2.0/24 area 1 
network 53.0.0.4/32 area 1 
exit 


7.3.1.2 | Non-Broadcast Networks 


For non-broadcast networks, you may specify neighbors. This is done using the neighbor command, in 
router configuration mode: 


CLI (config-router)> neighbor <neighbor-ip-address> 
The above method is not recommended as it offers a poor flexibility. Alternatively, you can configure the 
type of network under interface configuration mode as follows: 
CLI (config-if)> ip ospf network { point-to-point | broadcast 
| point—-to-multi-point } 
For example: 


interface serial 0/0.21 
! Enter in a FR sub-interface 
ip ospf network point-to-point 


7.3.2 Router Priority 


Networks are often hierarchical and it is recommended to elect as DR the router which stands at the head 
of the tree. You can set the OSPF priority to enable a router to become the default DR: 


CLI (config-if)> ip ospf priority <0-255> 


With a priority of 0, the router is not eligible. 255 is the highest priority, 1 the lowest. 


7.3.3 Router ID 


By default, the OSPF protocol takes the address of the first operational interface as OSPF router IP 
address. This might be inconvenient, as you are not able to predict the IP address of the OSPF router. 


To force the IP address of the OSPF router, use the following command, beginning in router configuration 
mode: 


CLI (config-router)> router-id <A.B.C.D> 


Note: the router ID is also important to elect the DR. When all routers have the same priority and no DR 
exists, the biggest router-ID gets elected as DR. 


7.3.4 Area Settings 


To enter in area configuration mode, please begin from the global configuration mode and enter: 


CLI (configure)> router ospf 
CLI (config-router)> area <area-id> 
CLI (config-area) > 


Route Summarization 


To reduce routing table size, route summarization allows the aggregation of several routes into a reduced 
number of routes. This applies at the ABR to inter-area route exchange for routes that are within the area. 
You need to define the network and network mask to define how the routes are aggregated. The command 
is the following: 


CLI (config-area)> range <A.B.C.D>/<length> 
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7.3.5 


7.3.5.1 


<A.B.C.D> is the network and <length> is the number of bits to match on the network. It is therefore 
recommended that inter-area route addresses are contiguous for efficient summarization. 


Stub Areas 


External routes injected in the OSPF AS are transmitted as LSA of type 5. When the 'stub area’ option is 
activated, all LSA of type 5 are discarded thus preventing external routes to be propagated by OSPF. All 
routers of the area must be configured with this attribute to allow router adjacency. To activate the stub 
area option, enter the following command: 


CLI (config-area)> [no] stub [no-summary] 
When the attribute no-summary is provided, the area is configured as “totally stubby area". In such area 


type, not only external routes are not injected in the AS, but also summarized routes coming from the other 
areas. Only intra-area LSA and default route (0.0.0.0) are exchanged. 


Not So Stubby Areas (NSSA) 


Stub areas are sometimes too restrictive. In NSSA, OSPF routers filter out LSA of type 5 but inject external 
routes as LSA type 7. By default, the ABR will translate received LSA of type 7 in LSA type 5 when 
sending them to another area. It is configured so: 


CLI (config-area)> [no] nssa [dont-translate] [no-summary] 
The dont-translate optional attribute indicates that an ABR does not translate LSA type 7 to type 5. 


The LSA are thus discarded. The no-summary optional attribute tells the ABR not to inject inter-area 
routes into the NSSA. 


Virtual Links 


Virtual link enable two OSPF routers to traverse an area. A typical case is: when an area cannot be directly 
connected to area 0, a border router of the remote area is connected to a border router of area 0 through 
transit OSPF areas. 


CLI (config-area)> [no] virtual-link <A.B.C.D> 
Where <A.B.C.D> is the IP address of the remote ABR. It is presumed that the router knows a route to 
reach this IP address. 
Authentication 


OSPF messages can be authenticated via a MD5-hashed signature. You can activate this authentication 
for a given area. In area configuration mode, the command is the following for activation of MD5: 


CLI (config-area)> authentication message-digest 


If you want to disable MD5, please use: 





CLI (config-area)> no authentication 
Configuring Interface Parameters 
Interface Passivation 


It can be useful to make an OSPF interface silent: it can receive OSPF LSA but cannot send any LSA. 
Making such interface silent is called interface passivation. To passivate an interface, use the following 
command beginning in global configuration mode: 


CLI (configure) > router ospf 
CLI (config-router) > passive-interface <type> <unit> 





7.3.5.2 Authentication 


Several commands exist in interface configuration mode that enables to modify some OSPF specific 
parameters for a given interface. 


To specify the authentication type for an interface, use the following command: 


CLI (config-if)> ip ospf authentication { message-digest | null } 
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Authentication type configured for an interface overrides type that might be configured for the area to 
which it belongs. That is why 'null' authentication type is provided. If no type is specified, simple password 
authentication is used. 


Before using this command, configure a password with: 


CLI (config-if)> ip ospf authentication-key <password> 


<password> is an alphanumeric password. 
If you rather want to use message digest authentication, use first: 
CLI (config-if)> ip ospf message-digest-key <keyid> md5 <key> 
Where <keyid> is an identifier in the range 1 to 255 and <key> is an alphanumeric password (maximum 
length: 16). 
To remove authentication type for an interface, use the no form of this command: 


CLI (config-if)> no ip ospf authentication 
7.3.5.3 Interface Cost 


Definitions: 


e An interface cost reflects the throughput of a link. The lower the cost, the more the interface is 
preferred for routing. The cost is a specific OSPF term. 


e A metric defines the overall cost of a route. To reach a destination, the router must take into account 
not only the output interface, but the efficiency of the whole path. Therefore, the OSPF algorithm 
computes the metric based on the cost of all interfaces, which are traversed along this route. A metric 
is not a term specific to OSPF; this is the value installed in the routing table. 


The default value of the cost depends on the bandwidth of the interface; it is calculated with the following 
formula: 


Cost = Ref-Val in bps / bandwidth-in-bps 
Ref-Val is 108. This will give for instance a default cost of 1 for a FastEthernet (100Mbps) interface, 10 


for an Ethernet (10Mbps) interface or 50 for an ATM PVC (2Mbps). Therefore, the higher the cost, the less 
the interface is likely to be used. 


To specify the cost of sending a packet on an interface, use: 
CLI (config-if)> ip ospf cost <cost> 
<cost> is an unsigned integer value in the range 1 to 65535. This value will be taken by the link cost in 
the Router LSA (Link State Advertisement). To return to the default cost, use the no form of this command: 
CLI (config-if)> no ip ospf cost 
Instead of 108, you can set another reference value for cost computation. The command is the following, 
beginning in router configuration mode: 


CLI (config-router)> auto-cost reference-—bandwidth <1-4294967> 


The reference value is provided in Mbps. (Using 100 sets the default value). 
7.3.5.4 | Route Redistribution and Interworking with Other Routing Protocols 
7.3.5.4.1 Administrative Distance 


For the same destination, it might be possible that several routes exist in BGP, RIP or OSPF databases. 
The router installs the route in its routing table based on the ‘administrative distance’ value. The distance is 
a parameter that you can set for each routing protocols and that reflects the level of confidence in a routing 
protocol. For example, you may want to always select the BGP route if it exists. Since the lower the 
distance, the higher the confidence, BGP must have the lowest administrative distance. 


The OSPF administrative distance is set as follows, beginning in global configuration mode: 


CLI (configure)> router ospf 
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CLI (config-router)> distance <1-255> 
7.3.5.4.2 Distribute List 


OSPF update filtering enables the router to select route prefixes that are advertised globally and/or per 
interfaces. The command is the following: 


CLI (config-router) > distribute-list <acl-name> out [static | rip | bgp] 


If the optional arguments are not provided, the filtering applies to all redistributed routing updates. The 
access lists are standard access lists. See access-lists used for route filtering in 5.2.7.1. 


7.3.5.4.3 Route Redistribution 
7.3.5.4.3.1 Introduction to External Route Metric Types 


When redistributing routes, you can choose whether the metric shall be of type E1 or E2. 


E1 metric means the metric is the sum of all interface costs in OSPF domain for that route + external 
interface cost. E2 means the route metric is equal to the cost of the external interface cost, independently 
from all interface costs in the OSPF domains. 


7.3.5.4.3.2 Default Route 


An ASBR router can send a default route (0.0.0.0) in the OSPF domain, when it has received it from 
another protocol (e.g. RIP). To do so, use the following command in router configuration mode: 


CLI (config-router)> [no] default-information originate [always] 


[metric <metric>] [metric-type { 1 | 2 }] [route-map <route-map-id>] 


If the keyword always is added, it implies the router sends a default route regardless of the fact that it has 
really a default route or not. You can associate a route metric for this default route (default metric: 20) and 
set the metric type. You can optionally use route maps (see below). 


7.3.5.4.3.3 Injection of External Routes 


You can redistribute in OSPF dynamically learned or statically configured routes by means of the 
redistribute command. Use the following command in router configuration mode: 


CLI (config-router)> [no] redistribute { bgp | rip | static | connected } 
[metric <metric>] [metric-type { 1 | 2 }] [route-map <route-map-id>] 


7.3.5.4.3.4 | Route Maps 


You can optionally use route maps to advertise only certain LSA. Route maps are a global mechanism for 
routing protocols that enables the filtering of undesired routes. As route-maps can be used for BGP, RIP 
and OSPF, some configuration commands for route maps are only relevant for certain protocols (mostly 
BGP), hence the fact that they are detailed in each section for every routing protocols. 


To define a route map use the following command, beginning from the global configuration terminal: 


CLI (configure)> route-map <map-tag> { permit | deny } <sequence-number> 


Where 
map-tag Is a string identifying the route map. 


sequence-number is an integer indicating the relative position compared to other instances that define 
the route-map. When OSPF applies a route-map instance to routing advertisements, it applies the lowest 
instance first. If the set of conditions is not met the next instance is used and so on until either a condition 
is met or there are no more conditions to apply. We generally use "10" as sequence-number when 
creating the route map and use increments of "10" for the following route map sequence, so that you can 
insert easily other route map instances between already configured instances. 
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Conditions are expressed using the match command that is defined as follows: 


CLI (config-route-map)> match ip { address | next—-hop } 
{ <access-—list-—number> | prefix-list <prefix-list-name> } 





When using the address keyword, the match clause applies the access/prefix list to the advertised 
network. When using the next-hop keyword, the match clause applies the access/prefix list to the next- 
hop of the advertised network. Prefix-list use is defined in 5.2.7.2 and access-lists use for route filtering in 
§.2.7.1. 


You can filter LSA using tags. An OSPF tag is a special field in LSA, encoded over 32 bits that can be 
used as a configuration facility to mark and to filter LSA: 


CLI (config-route-map) > match tag <0. .4294967295> 


To set a tag, use: 
CLI (config-route-map)> set tag <0..4294967295> 


You can modify the route metric of matching advertisements: 


CLI (config-route-map)> set metric <metric> 


To set the metric type: 


CLI (config-route-map)> set metric-type { type-1 | type-2 } 
7.3.5.4.3.5 Distribute List 


Let us imagine that you want a network using BGP to be aware of routes in an OSPF cloud and vice-versa. 
You need to mutually redistribute protocols from BGP to OSPF and OSPF to BGP. Under certain 
circumstances, you can create routing loops. To avoid such undesirable effects, the solution is to filter out 
OSPF routes injected in other routing domain. 


On an ASBR, you can filter routes that are redistributed into an external routing domain (such as RIP). The 
command is the following (in router configuration mode): 


CLI (config-router)> distribute-list <acl-name> out { bgp | rip | ospf 


static | connected } 


acl-name is the name of the standard access list filtering the route. 


7.3.6 OSPF Tuning 
7.3.6.1 Timers 


The following parameters can be defined for an interface or virtual link. For an interface, please enter in 
interface configuration mode. For virtual link, enter in area configuration mode and substitute 'ip ospf' 
by 'virtual-link <A.B.C.D>'. 


To specify the number of seconds before the router will declare its neighbors down, without getting ‘hello’ 
packets, use the following command: 


CLI (config-if)> ip ospf dead-interval <seconds> 


The <seconds> parameter is a positive integer representing the interval. 


This value is advertised in ‘hello’ packets sent out on this interface. It must be the same for all routers 
connected to the same network. The default value is four times <hello-interval>. 


To return to the default value of this interval, use the no form of this command: 
CLI (config-if)> no ip ospf dead-interval 


To specify the time between ‘hello’ packets that the router sends on this interface, use the following 
command: 


CLI (config-if)> ip ospf hello-interval <seconds> 
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The <seconds> parameter is a positive integer representing the interval. 


This value is advertised in ‘hello’ packets sent out on this interface. It must be the same for all routers 
connected to the same network. The default is 10 seconds. To return to the default value of this interval, 
use the no form of this command: 


CLI (config-if)> no ip ospf hello-interval 
To specify the delay length before retranslating a link state advertisement for which no acknowledgement 
has been received, use the following command: 


CLI (config-if)> ip ospf retransmit-interval <seconds> 


Where <seconds> is a positive integer, which must be greater than the estimated round-trip delay 
between two neighbors on the network. The default is 5 seconds. To return to the default value of this 
interval, use the no form of this command: 


CLI (config-if)> no ip ospf retransmit-—interval 
On low speed interfaces, it might take a long time to transmit a LSA; therefore adjacency between routers 
is not achieved properly and that routers are synchronized with a too long time offset. By default, it is 


assumed that it takes 1 sec to transmit the LSA. But on low speed interfaces, the OSPF router needs to 
"anticipate" coping with the slow speed of the link. The command is the following: 


CLI (config-if)> transmit-delay <time-in-s> 
7.3.6.2 Override MTU Check 


By default, OSPF routers dialog with each other if they have exactly the same MTU. However, it may be 
possible that the MTU is not equal for both routers. For example, an OSPF router A is connected to an 
Ethernet switch using conventional Ethernet. Router A must dialog with router B, connected on the same 
switch, but using VLAN. The VLAN header reduces MTU. If you want to disable MTU comparison, use the 
following command in interface configuration mode: 


CLI (config-if)> [no] ip ospf mtu-ignore 
7.3.6.3. OSPF Behavior Tuning 


You normally do not need to tune such parameters. 


By default, the OneOS implementation complies with RFC 2328. You may have to connect OneOS-based 
routers with older equipment using an implementation based on RFC 1583. To do so, begin in global 
configuration mode and enter: 


CLI (configure)> router ospf 
CLI (config-router)> [no] compatible rfc1583 





It is also possible that the OneOS-based ABR router must inter-operate with equipment having some old, 
non-RFC compliant features. In OSPF router configuration mode, it is configured as follows: 


CLI (config-router)> abr-type { cisco | ibm | standard } 


By default, 'standard' is selected, which means the behavior complies with RFC 2328. 
7.3.6.4 Overflow Management of External Routes 


OSPF is an Interior Gateway Protocol, that is to say, it is designed to manage routing in private networks. 
When external routes are advertised in the OSPF AS from an External Gateway Protocol (like BGP), it 
becomes possible thousands of routes be injected in OSPF. As OSPF is very processor- and memory- 
consuming, this can result in poor router performance. To avoid such situation, you can protect the router 
by limiting the number of processed external routes, using the ‘overflow’ command beginning in router 
configuration mode: 





CLI (config-router) > overflow external <nb-external-routes> <silent-time> 


<silent-time> is the time in seconds, ranging from 0 to 65535, during which the router ignores any 
updates for injected external routes. To restore default values, use: 


CLI (config-router)> no overflow external 
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Default values are: 
e 3000 external routes (8000 external routes for the ONE400): 


e 1800 seconds silent time (80 minutes) 





7.4 STATISTICS 


Several 'show' routines are available to display OSPF statistics. General statistics are provided with: 


CLI> show ip ospf 


For information about ABR, use: 

CLI> show ip ospf border-routers 
As the OSPF database contains a fairly high number of information, you can view a part of the OSPF 
database using the following command and options 


CLI> show ip ospf database [ asbr-summary 
| external 

| network 

| router 

| summary 

| max—age 

| self-originate ] 


For information about an OSPF interface, use: 


CLI> show ip ospf interface [<interface-type> <unit>] 


For information about neighboring OSPF routers, use: 


CLI> show ip ospf neighbor [all | <A.B.C.D> | detail] 


For information about an OSPF routes, use: 





CLI> show ip ospf route 
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fs 


5 


OSPF DEBUG 


To solve configuration issues, you might have to activate trace functions. It is based on the 'debug 
<...>' command and is deactivated using the 'no' form of the command ('no debug <...>"). 


To debug ABR-related issue, use the following command: 

CLI> debug ospf abr 
To debug events in the interface state machine (ISM, i.e. the transitions between the OSPF interface 
states), use the following command: 

CLI> debug ospf ism 
To debug events in the neighbor state machine (NSM, i.e. the transitions between the OSPF neighbor 
states), use the following command: 

CLI> debug ospf nsm 
To debug interface state machine (ISM, i.e. the transitions between the OSPF interface states), use the 
following command: 


CLI> debug ospf ism 


To debug general OSPF protocol state transitions, use the following command: 


CLI> debug ospf events 


To debug exchange of external routes with OSPF, use the following command: 


CLI> debug ospf external 


To debug and decode all OSPF protocol packets, use the following command: 





CLI> debug ospf packet 


To monitor LSA, use the following command: 


CLI> debug ospf lsa [generate | install | flooding | refresh] 


To debug NSSA - related information, use the following command: 





CLI> debug ospf nssa 
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8 BI-DIRECTIONAL FORWARDING DETECTION (BFD) 





8.1 BFD FEATURES 


BFD allows a quick detection of faults between two routers, which are usually directly connected. The 
protocol relies on UDP such that routers can mutually detect if they can reach each other. BFD can be 
used in OneOS to disable static routes towards a router when BFD peering is lost. In asynchronous mode, 
BFD peers send each other "Hello" packets to verify connectivity. BFD is usually faster than other routing 
protocols to detect failures. BFD is used in OneOS to bring down some static routes when connectivity with 
remote routers is lost. When such "main" routes are down, backup routes can then take over IP traffic 
routing. BFD is an alternative solution to the following configuration techniques: 


e It is not possible to detect all layer-1 or layer-2 faults between the ONE router and the PE router with: 
o Either link-down events or layer-2 OAM (ATM or Ethernet OAM for example), 
o Or IP route tracking. 


e Other IP routing protocols cannot be used. 


OneOS BFD implements the following draft standards: 

e = draft-ietf-bfd-base-10.txt 

e = draft-ietf-bfd-v4v6-1 hop-11.txt 

Full compliance with RFC 5881 is not guaranteed yet at the moment. 
The following features are supported: 

e Compatible with a neighbor in asynchronous mode, 

e echo mode, 

e Poll sequence, 


e Active role: send BFD control packets for a session regardless of whether it has received any BFD 
packets for that session, 


e A system is required to maintain session state, even when a session is down, until a Detection Time 
has passed without the receipt of any BFD control packets, 


e If BFD is to be used in conjunction with both IPv4 and IPv6 on a particular link, a separate BFD 
session must be established for each protocol over that link, 


e BFD control packets must be transmitted in UDP packets with destination port 3784, within an IPv4 or 
IPv6 packet. The source port is in the range 49152 through 65535, 


e The same UDP source port number must be used for all BFD control packets associated with a 
particular session. 
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8.2 BFD CONFIGURATION COMMANDS 


BFD must be activated on a per-interface basis as follows: 


CLI> configure terminal 
CLI (configure)> interface <ifname> <unit> 
CLI (config-if)> bfd interval <send> min_rx <receive> multiplier <value> 





send is the minimum interval in milliseconds (from 200 to 30000 ms; default value is 750 ms) between 
BFD control packets that are sent. receive is the minimum expected interval in milliseconds (from 200 to 
30000 ms; default value is 500 ms) between two received BFD control packets. value is the number (from 
1 to 20; default value is 3) of consecutive BFD control packets that must be missed before the neighbor is 
declared unavailable. 


To disable BFD on the specified interface: 

CLI (config-if)> no bfd interval 
Applying defaults on BFD will actually activate BFD with the default parameter set (even if the command 
bfd interval was never entered). The command is: 


CLI (config-if)> default bfd interval 


Then, declare the IP addresses of BFD peers (neighbors) under global configuration terminal: 


CLI (config-if)> exit 
CLI (configure)> [no] ip route static bfd <ifname> <unit> <neighbor-ip> 
CLI (configure)> [no] ipv6 route static bfd <ifname> <unit> <neighbor-ip> 





Some static routes on interface can be configured, whose validity depends on BFD peering for the related 
(interface, neighbor) couple: 


CLI (configure)> [no] ip route <network> <mask> <ifname> <unit> 
<neighbor-ip-address> 
CLI (configure)> [no] ipv6 route <network> <mask> <ifname> <unit> 
<neighbor-ip-address> 





Some static routes on next hop can be configured, whose validity depends of BFD peering for the related 
next hop: 





CLI (configure)> [no] ip route <network> <mask> <next—hop-neighbor-ip> 
CLI (configure)> [no] ipv6 route <network> <mask> <next-hop-neighbor-ip> 








8.3 BFD STATISTICS 


To display BFD neighbor status information: 


CLI> show ip bfd neighbors [details] 


To debug / troubleshoot BFD (to show BFD debugging trace): 





CLI> [no] debug ip bfd [fsm | packet | socket] 
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8.4 BFD CONFIGURATION EXAMPLE 


IPv4 example: 


interface FastEthernet 0/0 

ip directed—-broadcast 

ip address 220.2.2.81 255.255.255.0 
! activation of BFD on FastEthernet 0/0 interface 

bfd interval 750 min_rx 500 multiplier 3 
exit 
! declaration of BFD neighbor 220.2.2.2 on FastEthernet 0/0 interface 
ip route static bfd FastEthernet 0/0 220.2.2.2 











! classical static route on FastEthernet 0/0 interface 
ip route 2.2.2.0 255.255.255.0 FastEthernet 0/0 

! BFD static route on FastEthernet 0/0 interface available only when BFD 
neighbor 220.2.2.2 is UP 

ip route 3.3.3.0 255.255.255.0 FastEthernet 0/0 220.2.2.2 

! classical static route on next hop 

ip route 1.1.1.0 255.255.255.0 220.2.2.3 

! BFD static route on next hop available only when BFD neighbor is UP 


ip route 0.0.0.0 0.0.0.0 220.2.2.2 





IPv6 example 


interface FastEthernet 0/3 
ipv6 address prefix 2000: :0081/64 
! activation of BFD on FastEthernet 0/3 interface 
bfd interval 750 min_rx 500 multiplier 3 
exit 
! declaration of BFD neighbor 2000::0002 on FastEthernet 0/3 interface 
ipv6 route static bfd FastEthernet 0/3 2000: :0002 








Ethernet 0/3 interface available only when BFD 





! BFD static route on Fast 
neighbor 2000::0002 is UP 
ipv6 route 4000::/64 FastEthernet 0/3 2000::0002 

! BFD static route on next hop available only when BFD neighbor is UP 


ipv6 route 5000::/64 2000: :0002 
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9 


MULTICAST ROUTING 





9.1 


9.1 


9.1 


1 


2 


PRINCIPLES OF MULTICAST ROUTING 


Why Multicast 


The IP protocol defines three types of IP packets: unicast, broadcast and multicast. Unicast packets are 
destined from a source to a destination host. Unicast is intended for host-to-host communication. 
Broadcast packets are emitted by a single host and destined to all hosts of the same network. The 
broadcast mode is thus intended to send information to multiple hosts, which may have interest in 
receiving these information pieces. However, the broadcast mode cannot scale in large networks as it 
means waste of bandwidth (because all listening hosts do not have interest in receiving that packet) and 
possible networking issues such as broadcast storm in case of a routing loop. That is the reason why a 
third type of IP packet was introduced: multicast packet. 


“Multicast” is an IP packet type designed to send data to a group of selected hosts. In other words, 
multicast is intended for point-to-multipoint communication. Example of applications for multicast: 


e Routing protocols (RIP, OSPF), where routing information are exchanged between routers via 
multicast packets. 


e Voice and video broadcasting: multiple end-users register to a server in order to receive a multimedia 
stream. 


IP packets are multicast packets when their IP address belongs to the range 224.0.0.0 to 
239.255.255.255. Actually, the range of IP addresses was partitioned by the IANA into sub-categories. 
224.0.0.0 to 224.0.0.255 is reserved for routing protocols. Only the range 224.0.1.0 to 238.255.255.255 is 
allocated to user address space. A multicast address thus corresponds to a multicast application running 
between a multicast source and receiving hosts. 


On an Ethernet network, a multicast packet is transported in a special MAC frame. Therefore, a multicast 
sender only has to forward a single MAC frame when sending multicast flows to multiple destinations on 
the LAN. The last three bytes of the multicast IP address are copied into the MAC destination address as 
follows: if the multicast IP address is ???.X.Y.Z, the Mac frame is 01:00:5E:X:Y:Z. Therefore, the first 5 bits 
of the multicast IP is not mapped, which can seldom yield to conflicts, which can be avoided with good 
network design practices. 


Components of a Multicast Network 


Let us look at an example to make things clearer. At one hand, a video streaming server is running and is 
connected to a multicast network. On the other hand side, some computers connected to a same multicast 
router would like to receive the video stream. The computers join and leave the multicast group to start and 
stop receiving the video stream while the server continues to broadcast video. 


The computers requests that the multicast flow be sent to them using the IGMP protocol. The IGMP 
protocol enables them to announce that they are willing to join and leave a multicast group. The multicast 
router receiving the join request will in turn try to find the multicast source. To find that source, a multicast 
routing protocol is needed to inform multicast routers that the multicast flow must be forwarded to the 
requiring router. The role of the multicast routing protocol is to build a multicast distribution tree. Building a 
distribution tree tells where multicast packets must be replicated so that the first single multicast packet is 
forwarded to all destinations. The multicast routing topology can be optimized to privilege the shortest path 
from source to destination or the overall bandwidth required in the backbone. 


Advanced IP User Guide Page 9.1-98 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


A distribution tree can be either a source tree or a shared tree. A source tree forms a tree, which has the 
shortest path (Shortest Path Tree: SPT) from the source to all destinations. A shared tree is a tree that is 
not optimal in terms of distance from the source to destination but rather tries to share segments of the 
tree between multiple destinations. Shared trees enable to replicate less multicast packets. As the shared 
trees are less complex (because they have less segments), multicast routers have less neighbor status 
information to maintain, which requires less resources than a source tree model. 
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Note: it is possible to traverse networks not supporting multicast routing. To do so, a common solution is 
that the multicast routing protocol is encapsulated in a GRE tunnel. 
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9.2 


9.2.1 


9.2.2 


PROTOCOL INDEPENDENT MULTICAST (PIM) 


Introduction 


The PIM-SM (Protocol Independent Multicast Sparse-Mode) is a protocol for routing multicast packets to 
multicast groups. OneOS supports PIM-SM version 2. It is designed to create distribution tree along the 
reverse path from the receivers towards the sources. PIM is called “independent” because it uses unicast 
routing table (populated by other routing protocols such as static, connected, RIP, OSPF ... routes) to build 
the distribution tree. The unicast routing table is also the routing information base used to perform Reverse 
Path Forwarding (RPF) check: RPF check consists of verifying that a received packet was received from 
the expected interface that matches the route in the unicast routing table. With unicast packets, RPF helps 
in preventing IP spoofing. With PIM-SM routing, the RPF check is intended to determine upstream 
neighbors form which multicast traffic would take from the source. A router forwards multicast packets only 
if it is received on the upstream interface. 


PIM neighbor discovery is performed using Hello messages sent periodically to on all PIM interfaces. 


PIM-SM uses Shared Tree as multicast distribution tree. The Shared Tree model needs one or more 
Rendezvous Point (RP) placed in the PIM-SM domain, and known by the others PIM-SM routers. The 
multicast traffic generated from a source is sent to the RP, and then it is forwarded down the shared tree to 
the receivers. A multicast source and receivers can communicate together if their attached routers know 
how to reach a common RPP router or different RP routers (reachable with each other). 


Rendezvous Point can be configured statically or dynamically using Bootstrap (BSR) messages. 


When a receiver joins a multicast group, it sends an IGMP report message. The multicast router directly 
connected to the receiver, elected as a DR (Designated Router), sends a PIM Join message to the RP for 
that multicast group. The Join message is forwarded to the RP and that creates hop-by-hop a distribution 
tree. 


When a source starts sending multicast traffic for that multicast group, the multicast router directly 
connected to the source and elected as DR encapsulates the packets as unicast packets and sends them 
to the RP with a Register message. The RP de-encapsulates the packets and forwards the data down 
through the shared tree to reach the receiver(s) listening to that group. 


In the shared tree model, the multicast data flows down through the RP. But a receiver could reach a 
source with a shortest path other than the route via the RP. Indeed the route via the RP may involve an 
important detour. To optimize use of the bandwidth on the RP path or to reduce latencies, the receiver's 
local DR router may initiate the shortest path tree (SPT) transfer or not, by sending a Join message directly 
to the source. After the sender’s local DR has received the Join message, multicast traffic starts flowing 
down through the SPT. At this point, data are forwarded to the receiver using two paths, the shared path 
tree and the shortest path tree. When the receiver's local router establishes it has received two copies of 
the packets, it drops packets form the RP and sends a Prune message towards the RP. The Prune 
message tells the RP to stop forwarding the multicast data. 


PIM-SM Configuration Steps 


Required steps: 
e Enable Multicast Routing 


e Enable PIM Sparse Mode on interfaces 


Configure Rendezvous Point (RP): 
o Either: Configure router as static RP 


o Or (and) Configure router as Candidate RP 


Configure router as Candidate BSR (optional) 


Optional steps: 
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e Configure TTL Threshold on interfaces 
e Configure SPT switching threshold 
e Configure Register source address 


e Configure static multicast routes 


9.2.3 PIM-SM configuration commands 
9.2.3.1. Enabling Multicast Routing 


Note: as of V4.3R2E2 software release, multicast routing is only supported on the default VRF. 


Multicast routing enables the router to forward multicast flows. To enable IP multicast forwarding on the 
router, use the following command in global configuration mode: 


CLI (configure)> ip multicast-routing 


To disable Multicast Routing, use the following command in global configuration mode: 


CLI (configure)> no ip multicast-routing 
9.2.3.2 Enabling PIM Sparse Mode 


To enable PIM Sparse Mode on a router interface, first select the interface and use the following command 
in interface configuration mode: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip pim sparse-—mode 
To disable PIM Sparse Mode, use the following command in interface configuration mode: 


CLI (config-if)> no ip pim sparse-mode 


By default, PIM-SM is not activated. 
9.2.3.3. Configuring Static RP 


To configure a static RP on the router, use the following commands beginning in global configuration 
mode: 


CLI (configure)> ip pim rp-address <ip-address> 
[group-list <access-—list-name> ] 
[override] 


By default, a static RP has the lowest priority. If the override keyword is entered, the static RP is always 
preferred over dynamically learnt RP. To remove a static RP, use the following command in global 
configuration mode: 


CLI (configure)> no ip pim rp-address <ip-address> 
9.2.3.4 | Configuring Candidate RP 


To configure the router to advertise itself as Candidate RP, use the following command in global 
configuration mode: 


CLI (configure)> ip pim rp-candidate <interface> 
[group-list <access-—list-—name>] 
[interval <0-65535>] 
[priority <0-255>] 


The IP address of interface (type and unit) is the IP address that is advertised as RP candidate IP 


address. group-list specifies the multicast group prefixes advertised by this router. interval is the 
RP advertisement interval (default 60s). priority is the RP priority (the lowest —priority— number has the 
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highest priority). The default priority is 0. To remove the router as Candidate RP, use the following 
command in global configuration mode: 


CLI (configure)> no ip pim rp-candidate 
9.2.3.5 Configuring Candidate BSR 


The BSR is elected according to a priority number. The BSR advertises which RP is in charge of building 
the multicast distribution tree for a particular multicast group. In order to select the group prefixes per RP, 
the RFC 2362 (PIM-SM) defines a hash function requiring a hash mask length. By default, the mask is 
30 bits long. To configure the router as Candidate BSR, use the following command in global configuration 
mode: 


CLI (configure)> ip pim bsr-candidate <interface> 
[hash-mask-len <0-32>] 
[priority <0-255>] 


The IP address of interface (type and unit) is the IP address that is advertised as BSR candidate IP 
address. The highest priority is preferred (default value is 0). To remove the router as Candidate BSR, use 
the following command in global configuration mode: 


CLI (configure)> no ip pim bsr-candidate 
9.2.3.6 | Configuring TTL Threshold on interfaces 


The time-to-live (TTL) threshold value controls if a multicast packet can be forwarded on the interface. 
Packets are forwarded, only if the TTL value is greater than the TTL configured on the interface. The TTL 
is decremented every time a multicast packet is forwarded. 


To configure a TTL threshold on an interface, use the following command in interface configuration mode: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip multicast ttl-threshold <tt1l-value> 





To restore the default TTL threshold on an interface, use the following command in interface configuration 
mode: 


CLI (config-if)> no ip multicast ttl-threshold 


By default, TTL threshold value is 1. 
9.2.3.7 | Configuring SPT switching threshold 


The shortest path -source— tree (SPT) switching threshold enables the router to automatically switch form 
the shared path tree to the shortest path tree after multicast traffic rate is greater than the configured rate. 
To configure the SPT switching threshold, use the following command in global configuration mode: 


CLI (configure)> ip pim spt-threshold <rate-in-kbps> 


To restore the default SPT switching threshold, use the following command in global configuration mode: 


CLI (configure)> no ip pim spt-threshold 


By default, the SPT switching threshold is 8 kbps. 
9.2.3.8 Configuring Register source address 


To configure a source IP address for sending the register message that is different from the outgoing 
interface IP address, use the following command in global configuration mode: 


CLI (configure)> ip pim register-source <interface> 


To restore the default source address for register message, use the following command in global 
configuration mode: 


CLI(configure)> no ip pim register-source 
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9.2.3.9 


9.2.3.1 


9.2.3.1 


9.2.4 


Configuring IP Multicast Static Route 


To configure an IP multicast static route, use the following command in global configuration mode: 


CLI (configure)> ip mroute <source-address> <mask> [<rpf-address> 
| <interface> <unit>] 


To remove an IP multicast static route, use the following command in global configuration mode: 


CLI (configure)> no ip mroute <source-address> <mask> [<rpf-address> 
| <interface> <unit>] 


0 Configuring IP Multicast Route Limit 


To limit the number of multicast states that can be added to a multicast routing table use the following 
command in global configuration mode. To disable this configuration, use the no form of this command. 


CLI (configure)> [no] ip multicast route-limit <limit> [<threshold>] 


limit is the number of multicast routes that can be added. The range is from 1 to 2147483647, the latter 
being the default value. 


threshold is the number of multicast routes that cause a warning message to occur. The threshold value 
must not exceed the limit value. 


1 Configuring IP Multicast Scope Group 


To configure an administratively scoped boundary, use the following command in interface configuration 
mode. To remove the boundary, use the no form of this command. 


CLI (config-if)> [no] ip multicast boundary <access-list> [in]out] 


access-list is the number or name identifying an access list that controls the range of group addresses 
affected by the boundary. The access list must be a standard access list when no direction is given 
(neither in nor out). It can be a standard or extended access list when applied to one direction (in or 
out) or to both directions (two commands with in and out). 


Configuration Example 


In the following example, router C is the RP for all possible group addresses, because no restricting 
access-list is associated with this router. The receiver in network 192.168.2.0/24 joins any group G, by 
means of an IGMP report message received by router A. Consequently, Router A sends PIM join 
messages for group G to the RP, building a branch of the RP tree for group G. As soon as Source on 
network 20.1.1.0 begins to send data packets destined to group G, router B sends these packets 
encapsulated in register messages to the RP, which forwards them down the RP tree towards the 
Receiver. AS no command spt-threshold is configured on router A, the default data threshold is 
8 kbps. If the data throughput exceeds this value, router A joins directly router B for building the SP tree 
towards the source (because it is the shortest path): at this time, data will flow directly from router B to 
router A, which causes router A to send PIM prune messages to RP to stop the data flow coming down the 
FP tree. In addition, router B will continue to send the data packets in register messages to the RP, which 
will respond by register-stop messages to router B because the RP has no more receivers down the RP 
tree for group G. 
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Router A configuration: 


ip multicast-—routing 
interface fastethernet 0/0 
ip address 192.168.2.1 
ip pim sparse-mode 
exit 
interface fastethernet 0/1 
ip address 194.1.1.1 
ip pim sparse-mode 
exit 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min 0 max 10 
execute 
exit 
gshds1 
linerate adaptive 384 2304 
mode 2_wire 
execute 
exit 
exit 
interface atm 0.1 
Pvc pppoa vpi 8 vci 35 
ip address 168.112.112.1 
ipecp static 
authentication no 
execute 
exit 
ip pim sparse-mode 
exit 
ip route 20.1.1.0 255.255.255.0 atm 0.1 
ip route 190.1.1.0 255.255.255.0 194.1.1.8 
ip pim rp-address 190.1.1.8 


Router B configuration: 


ip multicast-routing 
interface fastethernet 0/0 
ip address 20.1.1.2 
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9.2.5 


ip pim sparse-mode 
exit 
interface fastethernet 0/1 
ip address 190.1.1.2 
ip pim sparse-mode 
exit 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min 0 max 10 
execute 
exit 
gshds1l 
equipment CO 
linerate adaptive 384 2304 
mode 2_wire 
execute 
exit 
exit 
interface atm 0.1 
Pvc pppoa vpi 8 vci 35 
ip address 168.112.112.2 
ipcp static 
authentication no 
execute 
exit 
ip pim sparse-mode 
exit 


ip route 192.168.2.0 255.255.255.0 atm 0.1 


ip pim rp-address 190.1.1.8 


Router C configuration: 


ip multicast-routing 
interface fastethernet 0/0 
ip address 190.1.1.8 
ip pim sparse-mode 
ixit 
interface fastethernet 0/1 
ip address 194.1.1.8 
ip pim sparse-mode 
exit 


ip route 20.1.1.0 255.255.255.0 190.1.1.2 


ip pim rp-address 190.1.1.8 


Statistics 


To display statistics about multicast routing: 


CLI> show ip multicast statistics 


To display information about multicast route cache: 


CLI> show ip multicast cache 


To display information about PIM interface: 


CLI> show ip pim interface 


To display information about PIM neighbors: 


To display information about PIM route: 





CLI> show ip pim route 


CLI> show ip pim neighbors 
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To display list of PIM Rendezvous Point (RP): 


CLI> show ip pim rp 


To display RP mapping information about a multicast group: 





CLI> show ip pim rp-hash <group-address> 


To display statistics about PIM: 





CLI> show ip pim statistics 


9.2.6 Debug and Trace 


To enable multicast reverse path forwarding debugging, use the following command: 


CLI> [no] debug ip multicast 


To enable all PIM debugging, use the following command: 


CLI> [no] debug ip pim 


To enable PIM Assert packets debugging, use the following command: 


CLI> [no] debug ip pim assert 


To enable PIM bootstrap packets debugging, use the following command: 


CLI> [no] debug ip pim bootstrap 


To enable PIM RP selection debugging, use the following command: 


CLI> [no] debug ip pim cand-rp 


To enable PIM packet detail debugging, use the following command: 





CLI> [no] debug ip pim detail 


To enable PIM group specific debugging, use the following command: 


CLI> [no] debug ip pim group 


To enable PIM hello packets debugging, use the following command: 


CLI> [no] debug ip pim hello 


To enable PIM join/prune packets debugging, use the following command: 


CLI> [no] debug ip pim join 


To enable PIM register packets debugging, use the following command: 





CLI> [no] debug ip pim register 


To enable PIM route states debugging, use the following command: 


CLI> [no] debug ip pim route 


To enable PIM reverse path forwarding debugging, use the following command: 


CLI> [no] debug ip pim rpf 
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9.3 IGMP 


9.3.1 Features 


Internet Group Management Protocol (IGMP) is a protocol used by IPv4 systems to report IP multicast 
memberships to neighboring multicast routers. 


IGMP protocol is based on two kinds of messages: queries and reports. While routers send queries to 
inform clients about their presence, clients answer and send report messages to tell which multicast group 
they want to be added to. 


Further to the first released IGMP version, IGMP version 2 introduces a new kind of packet defined as 
“leave” message, sent once an IGMPv2 application is closed. IGMPv3 adds support for source filtering, 
which enables a multicast receiver host to signal to a router which groups it wants to receive multicast 
traffic from, and from which source(s) this traffic is expected. Two main modes are supported in IGMPv3 
messages: INCLUDE mode and EXCLUDE mode. While the former announces membership to a host 
group and provides a list of IP addresses (the INCLUDE list) from which it wants to receive traffic, the latter 
announces membership to a host group and provides a list of IP addresses (the EXCLUDE list) from which 
it does not want to receive traffic. The fact that multicast source can be selected is often referred to as 
Source Specific Multicast (SSM). 


9.3.2 IGMP Configuration 
Note: as of V4.3R2E2 software release, IGMP is not supported outside default VRF. 
9.3.2.1. Enabling IGMP 
Once PIM is enabled on an interface, IGMP is enabled too on the same interface. By default, IGMPv2 is 
supported. However, it is possible to force another IGMP version. 
CLI (config-if)> ip igmp version <1-2-3> 
If IGMPv3 is configured, then IGMPv3 reports are supported. To restore the default configuration, use the 


following command line: 


CLI (config-if)> ip igmp version 2 
9.3.2.2 Configuring IGMP Timers 


Each IGMP query is periodically sent to the defined subnet. query interval is the interval in seconds 
between each query. Use the following command line in interface configuration mode: 


CLI (config-if)> ip igmp query-interval <1-18000> 
To come back to default configuration with a query interval set to 125 seconds, use the following command 
line: 

CLI (config-if)> ip igmp query-interval 
Each IGMP query waits for a potential report, in response to the query, until a maximum response time 


authorized. To configure this maximum response time, use the following command line in interface 
configuration line: 


CLI (config-if)> ip igmp query-max-response-time <1-25> 


To come back to default configuration with a query max response time set to 10 seconds, use the following 
command line: 


CLI (config-if)> ip igmp query-—max-response-time 
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9.3.2.3. Configuring IGMP Access Policies 


9.3.2.4 


It is possible to filter incoming reports upon group address, and even source address when IGMPv3 
records are received. If a standard access-list is chosen, only a group of multicast addresses records are 
read and permitted. An extended access-list permits the configuration of a specific source address and 
multicast address. To configure an access-list, use the following configuration in interface command line: 


CLI (config-if)> ip igmp acces-group <name> 
To come back to default configuration no filtering applied to incoming IGMP reports, use the default 
command in interface configuration mode: 


CLI (config-if)> no ip igmp access-group 
Configuring IGMP Static Group 


The following command in interface configuration mode configures the router to be a statically connected 
member of the specified group on the interface. To remove the router as a member of the group, use the 
no form of this command. 


By default, a router is not a statically connected member of an IP multicast group. 
CLI(config-if)> [no] ip igmp static-group <group-address> [source 
<source-address>] 
group-address is the IP multicast group address of a group to which the router belongs. 


source-address is the IP address of a system within the group from where multicast data packets 
originate. 


9.3.2.5 | Configuring IGMP snooping 


9.3.3 


9.3.4 


By default IGMP snooping (defined in RFC 4541) is enabled on a bridge group if a BVI interface exists for 
this bridge group. Refer to "BVI Configuration" chapter of "OneOS — Bridging & LAN User Guide" 
document for more information. 


IGMP Statistics 


To display information of IGMP configuration, use the following command line in configuration command: 


CLI> show igmp interface 


IGMP Debugging 


To display IGMP debug information, use the following command line: 


CLI> debug ip igmp 
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10 ZONE-BASED FIREWALL 





10.1 ZONE-BASED FIREWALL OVERVIEW 


In a zone-based firewall, policies are no longer configured on an interface, but are defined between zones. 
The user can configure different zones and interfaces can be attached to a specific zone. 


Traffic will: 
1. Freely pass between two interfaces that are not attached to a zone. 
2. Not pass between an interface that is attached to a zone and an interface that is not. 
3. Freely pass between two interfaces that belong to the same security zone. 
4. Not pass from zone X to zone Y unless explicitly specified. 


To permit traffic from zone X to zone Y (including the reply traffic from zone Y to zone X in case of stateful 
inspection), you must create a zone-pair from zone X to zone Y and apply a policy to that zone-pair. A 
policy consists of a list of rules that match on individual flows through means of filters; each rule specifies 
the action to be taken on the matching traffic. 


A filter specification contains a list of different filter rules, each rule allowing a combined match on 
addresses, protocols, and /or port lists, etc ... 


Several modules can be identified in the configuration of the firewall functionality (refer to the diagram next 
page): 


e Interface: attach an interface to a zone. 
e Zone: reference object for interfaces and zone-pair definitions. 


e Zone-pair: to permit traffic from zone X to zone Y, a "zone X-zone Y" zone-pair combination must be 
defined and a policy must be applied to specify the traffic that is allowed. 


e Policy: a collection of policy rules, each rule describing a filter to match and the appropriate action to 
be taken. Basic actions that can be applied on a Policy Rule are pass/inspect/drop. 


e _ Filter: a collection of filter rules, describing the criteria used to match a packet. Filter criteria include: 
o Source and destination addresses. 
o Protocol and port specifications. 


e Parameters: contains a number of general parameters to be applied when a connection is created, 
such as connection time-out values, connection thresholds, etc ... 
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10.1 
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Zone <name> 


















Firewall Parameters 
Name Name 
VRF Max. Connections 
Zone list Timeouts 
Zone-pair list Stealth mode 
Options 


Parameters <name> 


Zone-pair 
Name 

Source Zone 
Destination Zone 

Policy <name> 

Filter <name> 








Filter Policy 
Name 
Parameters <name> 


Policy rules [0..n] 


Name 
Match all / any / none 
Filter rules [0..n] 


















Policy rules 
Name 

Match <filter> | any 
Action pass| inspect| 
drop 

ALG FTP | SIP | H323 
Parameters <name> 


Filter rules 
Name 
Match criteria 





Firewall 


On a router, multiple firewall instances can exist. However, only a single firewall instance can be used 
within a single VRF. 


2 


Zone 


A zone is a reference object for interfaces and zone-pair definitions. It is defined by its name. 


3 


Zone-pair 


To permit traffic from zone X to zone Y, a "zone X-zone Y" zone-pair combination must be configured 
together with a specification of the traffic that is allowed or denied. This can be done by applying a policy to 
the zone-pair definition. 


4 


Policy 


A Policy consists of: 


A name. 


A table of policy rules; each rule specifies: 


O° 


O° 


A rule name. 


A filter-name: a reference to a Filter specification; the keyword any can be used to indicate that 
all traffic matches. 


An action to be executed if the filter matches. An action can be pass, inspect, or drop. By 
default, the inspect action is applied. 


Advanced IP User Guide Page 10.1-110 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


o Areference to a specific ALG (Application Level Gateway) configuration; if a supported ALG is 
detected, the code for processing the ALG will be executed by default, even without a specific 
reference to an ALG module. If the user wants to influence the parameters by which the ALG is 
executed, it can create a specific module for the supported ALGs (e.g. FTP, TFTP, H323, and 
SIP) and refer to the specific module in the policy rule. Several ALGs of different types can be 
referenced to in a single policy rule, because if a broad filter is specified on this rule, flows of 
different protocols can match on this rule. It is also be possible to instruct the firewall to bypass 
the ALG processing on this rule. 


Policies are parsed in the order in which they are configured. To insert additional policy rules in an existing 
policy it is possible to insert policy rules at any location within the policy rules table. 


10.1.5 Filters 


Filters are used to specify packet matching criteria. A Filter consists of: 
e Aname. 


e A [match all | match any | match none] option which indicates when the filter matches. Match all 
means all lines in the filter rules table should match, match any means only one of the lines in the filter 
rules must match and match none means the filter will match if none of the filter rules match the 
packet. Match any is the default value. 


e =A table of filter rules; for each filter rule, the match definition is based on several possible criteria: 


o IP Address definition (an entry for both source and destination address filtering): a host 
address, a subnet, an interval or a reference to a collection of addresses (see 10.1.5.1 below). 


o Service/application definition (Telnet, SMTP, HTTP ...): a protocol/port definition or a reference 
to a pre-defined/user-defined service definition (see 10.1.5.2 below). 


o Another filter specification. 


When adding a new filter rule, by default all criteria are unused. 
10.1.5.1 Address collections 


An Address Collection module consists of a collection of possible IP address ranges: 
1. Host: a simple address, e.g. 12.34.56.78. 
2. Subnet: an address / prefix length combination, e.g. 12.34.56.78/24. 
3. Interval: a start Interval — end Interval specification, e.g. 12.34.56.78-12.34.56.87. 


10.1.5.2 Services 


A Service can be used to make a collection of related IP protocol and port specifications which can be 
referenced as a whole. 


10.1.6 Parameters 
A parameters module contains a number of configurable parameters that will be applied when a new 
connection is created. Some of these parameters are common for all rules, others are protocol specific: 
e Maximum number of simultaneous connections by rule (maxConnsPerRule). 
e TCP timer values. 
e UDP timer values. 
e ICMP: 
o Timer values. 


o Configure the ICMP error messages that should be allowed for traffic matching on this policy 
rule. 


e Stealth mode: disable sending ICMP Error messages (Admin prohibited) if data is dropped (on Drop) 
or implicitly denied (on Deny), and/or TCP Reset messages when errors are seen in the TCP packets 
(on TCP Error). 
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The user can reference a Parameter module at: 
1. Firewall top level. 
2. Policy module level. 


3. Policy rule level. 


When a connection is created as a result of a match on a zone-pair/policy/policy rule combination, the 
parameters of the most specific level referring to a parameter module will be used for connection setup. 


Advanced IP User Guide Page 10.1-112 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 





10.2 ZONE-BASED FIREWALL POLICY DATABASE 


All configuration elements will be joined together in the firewall policy database. Packets not matching an 
existing flow will be matched against this database. The policy database also serves as the storage point 
for the firewall statistics. 


If a firewall configuration element is used multiple times in the configuration, the policy database will create 
multiple instances of these elements, each with their own set of statistics. 


A simplified structure of the policy database is shown below. 


LIST ZonePair { 
name 
status 
srcZone 
dst Zone 
counters 
refcount 
policy { 
name 
paramset 
counters 
status 
LIST policyRules_ { 
name 
status 
paramset 
action 
counters 
refcount 
filter { 
name 
matching mode 
LIST filterRules_ { 
name 
status 
counters 
refcount 
expanded lookup structure 
} 
} 


Because the configuration permits referencing nonexistent elements, the policy database must protect 
itself against incomplete configurations. Furthermore, reconfiguring (parts of) policies must in all cases be 
handled gracefully with a minimal impact on run-time behavior or previously collected usage statistics. 


The basic structure of the policy database is quite simple: it is an ordered list of zone pairs, with a policy 
assigned to them. 


A policy consists of a global parameter set and an ordered list of policy rules. A policy rule can overrule the 
parameter set of the policy it belongs to, but if it doesn’t the policy rule’s parameter set will be a copy of the 
policy’s parameter set. A policy rule also has an action and a filter. 


Filters consist of a matching mode and a number of filter rules. Filter rules can either be "simple", when 
they only use address and service information, or "complex", when they refer to other filters. All filter rules 
are expanded when they are entered in the policy database, but a maximum nesting level of 10 filter rules 
is enforced. 
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All of these policy database elements contain a counter structure for statistics (number of packets 
processed...) and a status word to indicate possible error conditions (e.g. the configuration references to a 
non-existing element) for this element. 


The policy database is used to create connection structures, and these connections can update the 
statistics throughout the policy database. On connection creation, a number of pointers to the appropriate 
counter structures in the policy database are stored in the connection structure and the count of the 
referenced elements in the policy database is incremented. On connection destruction, all the relevant 
reference counters for that specific session structure are decremented. In general, a non-zero reference 
count of some database element means that at least one active connection might still use this policy 
database element. 


Only "active" policy database elements are inspected for connection creation. A zone pair is active if all its 
references (source zone, destination zone and policy) are resolved. A policy can be active even if not all its 
policy rules are fully resolved. Incomplete policy rules are skipped. The parameter set must be resolved 
before a policy is active. A policy rule is only active if its filter (and all its filter rules) and its parameter set 
are resolved. 


Reconfiguration of the firewall (adding, deleting or changing of one or more elements) needs to be 
explained in more detail. Since the configuration is name-based and the policy database is not, a change 
in a configuration element has consequences on every instance of this configuration element in the policy 
database. 


A reconfiguration can also influence the error status in the policy database: a reference to a non-existing 
element can be solved by adding this element, or a reference to an element can become invalid when the 
referenced element is deleted. In any case, the status word of the relevant database elements will have to 
be updated. 


Since policy database elements can be referenced by connections, these elements cannot be deleted or 
changed in-place. When there is a change in a configuration element, the corresponding instances in the 
policy database are duplicated and brought up-to-date with the new configuration. The original instances 
get a deleted flag in their status word and will be deleted later by a follow-up routine once they are no 
longer referenced. The corresponding counters will be reset. 


Remark: There is one exception to this reconfiguration system. Changes to a parameter set do not create 
new database entries. They will immediately become active for new connections, and statistics are not 
reset. 
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10.3 ZONE-BASED FIREWALL CONFIGURATION 


10.3.1 Basic configuration 


10.3.1.1 Creating a firewall instance 


To create a new firewall instance, use the following command in global configuration mode: 

CLI (configure)> firewall <firewall-name> [max-connections <max-cnx>] 

CLI (firewall) > 
The above command will create a new firewall instance or will enter firewall configuration mode for this 
instance if it was already created. 


max-cnx ranging from 1000 to 10000 (default 1000) can be used to limit the number of connections the 
firewall will accept. Note that for an already existing firewall instance the change of the maximum number 
of connections is only taken into account after a reboot of the device; an information message is displayed 
in that case. 


To remove a firewall instance, use the following command in global configuration mode: 


CLI (configure)> no firewall <firewall-name> 


All the following firewall commands, except assigning an interface to a zone, are entered in firewall 
configuration mode. 


10.3.1.2 Using another VRF than the default VRF 


To set the VRF the firewall applies to, use the following command in firewall configuration mode: 


CLI (firewall)> vrf£f <name> 


To remove the VRF from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no vrf <name> 


To use the default VRF, use the following command in firewall configuration mode: 





CLI(firewall)> default vrf 
10.3.1.3 Adding zones to a firewall instance 


To create a new zone, use the following command in firewall configuration mode: 


CLI (firewall)> zone <zone-name> 


To remove a zone from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no zone <zone-name> 
10.3.1.4 Assigning an interface to a zone 


The following command, available in interface configuration mode assigns the interface to the specified 
firewall zone. The VRF of the interface and of the firewall must match. 


CLI (config-if)> firewall zone <zone-name> 


To remove the interface from the zone, use the following command in interface configuration mode: 


CLI (config-if)> no firewall zone [<zone-name>] 
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10.3.1.5 Defining filters on a firewall instance 


To create a new filter or edit an existing one and enter in filter configuration mode, use the following 
command in firewall configuration mode: 


CLI (firewall)> filter <filter-name> 
CLI (fw-filter)> 
To remove a filter from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no filter <filter-—name> 


To specify if all rules, at least one or no rule should match for the filter to return a positive result, use the 
following command in filter configuration mode (default is any). 


CLI (fw-filter)> match { all | any | none } 


To set the match mode to any, use the following command in filter configuration mode: 


CLI(fw-filter)> default match 


Note: There is no filter rule configuration mode. The properties have been grouped together to limit the 
configuration size. This implies that it might be necessary to configure a filter rule via several of the 
following commands if the properties are not available in a single command. 


Use the following command in filter configuration mode to create or edit a filter rule whose properties are 
related to matching source, destination and service (that should match); not-source, not-destination and 
not-service (that should not match). 


CLI (fw-filter)> rule <rule-name> [source <source> | not-source <source>] 
[destination <destination> | not-destination <destination>] 
[service <service-name> | not-service <service-name>] 


source and destination can be a host IP address or a network address (IP address / prefix length). 


service-name is a reference to a user defined service (see 10.3.2.5), or an inline service definition in the 
format protocol:port, where protocol can be a protocol number or any of the pre-defined named 
protocols (ICMP, IGMP, IP, TCP, UDP, IPv6, GRE, ESP, AH, OSPF, VRRP, L2TP), port can be a port 
number or any of the pre-defined named ports (bgp, domain, echo, ftp, ftpdata, h323, http-alt, 
https, ipsec-nat-t, isakmp, nntp, ntp, pop3, radius, router, smtp, snmp, snmptrap, ssh, 
syslog, tacacs, telnet, tftp, www). 


Use the following command in filter configuration mode to create or edit a filter rule whose properties are 
related to matching filter and TOS (that should match); not-filter and not-TOS (that should not match). 


CLI(fw-filter)> rule <name> [filter <filter> | not-filter <filter>] 
[tos <tos> | not-tos <tos>] 


filter is a reference to a defined filter; tos is a value ranging from 0 to 255. 


Refer to 10.3.2.2 section for more filter configuration commands. 


To exit filter configuration mode, use the following command in filter configuration mode: 
CLI (fw-filter)> exit 
CLI (firewall)> 
10.3.1.6 Defining policies on a firewall instance 
To create a new policy or edit an existing one and enter in policy configuration mode, use the following 


command in firewall configuration mode: 
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CLI (firewall)> policy <policy-name> 
CLI (fw-policy) > 
To remove a policy from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no policy <policy-name> 


Note: There is no policy rule configuration mode. The properties have been grouped together to limit the 
configuration size. This implies that it might be necessary to configure a policy rule via multiple commands 
if the properties are not available in a single command. 


Use the following command in policy configuration mode to create or edit a policy rule whose properties 
are related to matching a filter, defining the action to take (pass, inspect or drop) and the parameters to 
apply. 


CLI (fw-policy)> rule <rule-name> [filter <filter>] 
[action { pass | inspect | drop }] 
[parameters <parameter>] 


filter is a reference to a defined filter. 
parameter is a reference to a defined parameter set (see 10.3.2.8). 


If no filter is configured, all traffic matches. The default action is inspect. 


Use the following command in policy configuration mode to create or edit a policy rule whose properties 
are related to matching with one or more application level gateways: 


CLI (fw-policy)> rule <name> [alg ftp <alg-name>] [alg tftp <alg-name>] 


alg-name is a reference to an ALG definition (see 10.3.2.6). 


Refer to 10.3.2.3 section for more policy configuration commands. 


To exit policy configuration mode, use the following command in policy configuration mode: 


CLI(fw-policy)> exit 
CLI (firewall)> 


10.3.1.7 Adding zone pairs to a firewall instance 


To creates a new zone pair or edit an existing one and enter in zone pair configuration mode, use the 
following command in firewall configuration mode: 


CLI (firewall)> zone-pair <zone-pair-—name> 
CLI (fw-zone-pair) > 


To remove a zone pair from the firewall, use the following command in firewall configuration mode: 





CLI (firewall)> no zone-pair <zone-pair-name> 


To set the destination zone of the zone pair, use the following command in zone pair configuration mode: 


CLI (fw-zone-pair)> dst-zone <zone-name> 


To remove the destination zone from the zone pair, use the following command in zone pair configuration 
mode: 


CLI (fw-zone-pair)> no dst-—zone 


To set the source zone of the zone pair, use the following command in zone pair configuration mode: 
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CLI (fw-zone-pair)> sre-zone <zone-name> 


To remove the source zone from the zone pair, use the following command in zone pair configuration 
mode: 


CLI (fw-zone-pair)> no src-zone 


To set the policy of the zone pair, use the following command in zone pair configuration mode: 


CLI (fw-zone-pair)> policy <policy-name> 


To remove the policy from the zone pair, use the following command in zone pair configuration mode: 


CLI (fw-zone-pair)> no policy 


To exit the zone pair configuration mode, use the following command in zone pair configuration mode: 


CLI (fw-zone-pair)> exit 
CLI (firewall)> 


10.3.2 Advanced configuration 


10.3.2.1. Inspection configuration 
To enable firewall inspection, which passes the data through the firewall (this is the default), use the 
following command in firewall configuration mode: 
CLI (firewall)> inspection 
To disable firewall inspection, which bypasses the firewall functionality without having to remove the 
firewall configuration, use the following command in firewall configuration mode: 


CLI(firewall)> no inspection 
10.3.2.2 Filter configuration 


To create an empty rule with sequence number seq-nr, use the following command in filter configuration 
mode: 


CLI (fw-filter)> rule <rule-name> [seq-nr <0..2147483647>] 


To renumber the rules in the filter, starting from start in steps of increment (default increment is 10), 
use the following command in filter configuration mod: 


CLI (fw-filter)> resequence <start> [<increment>] 


Note: For removing a filter rule property there is no grouping of properties. All properties can be removed 
with a separate command. 


To remove the filter rule from the filter, use the following command in filter configuration mode: 


CLI (fw-filter)> no rule <rule-name> 


To remove the destination from the filter rule, use the following command in filter configuration mode: 





CLI (fw-filter)> no rule <rule-name> destination 


To remove the filter from the filter rule, use the following command in filter configuration mode: 
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CLI (fw-filter)> no rule <rule-name> filter 


To remove the service from the filter rule, use the following command in filter configuration mode: 


CLI (fw-filter)> no rule <rule-name> service 


To remove the source from the filter rule, use the following command in filter configuration mode: 


CLI (fw-filter)> no rule <rule-name> source 


To remove the TOS from the filter rule, use the following command in filter configuration mode: 








CLI (fw-filter)> no rule <rule-name> tos 


10.3.2.3. Policy configuration 


To set the parameters of the policy, use the following command in policy configuration mode: 


CLI (fw-policy)> parameters <params> 
params is a reference to a parameter definition. 


To create an empty rule with sequence number seq-nr, use the following command in policy 
configuration mode: 


CLI (fw-policy)> rule <rule-name> [seq-nr <0..2147483647>] 


To renumber the rules in the policy, starting from start in steps of increment (default increment is 10), 
use the following command in policy configuration mode: 


CLI (fw-policy)> resequence <start> [<increment>] 


Note: For removing a policy rule property there is no grouping of properties. All properties can be removed 
with a separate command. 


To remove the policy rule from the policy, use the following command in policy configuration mode: 


CLI (fw-policy)> no rule <rule-name> 


To remove all ALGs from the policy rule, use the following command in policy configuration mode: 


CLI (fw-policy)> no rule <rule-name> alg 


To remove the FTP ALG from the policy rule, use the following command in policy configuration mode: 





CLI (fw-policy)> no rule <rule-name> alg ftp 


To remove the TFTP ALG from the policy rule, use the following command in policy configuration mode: 


CLI (fw-policy)> no rule <rule-name> alg tftp 


To remove the filter from the policy rule, use the following command in policy configuration mode: 





CLI (fw-policy)> no rule <rule-name> filter 


To remove the parameters from the policy, use the following command in policy configuration mode: 


CLI (fw-policy)> no parameters 


To remove the parameters from the policy rule, use the following command in policy configuration mode: 





CLI (fw-policy)> no rule <rule-name> parameters 


To set the filter rule action to inspect, use the following command in policy configuration mode: 





CLI (fw-policy)> default rule <rule-name> action 
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10.3.2.4 Address-collection configuration 


To create a new address collection or edit an existing one and enter in address collection configuration 
mode, use the following command in firewall configuration mode: 


CLI (firewall)> address-collection <collection-name> 

CLI (fw-addr-collect) > 
To remove an address collection from the firewall, use the following command in firewall configuration 
mode: 


CLI (firewall)> no address-collection <collection-name> 


To add an address range to the address collection, use the following command in address collection 
configuration mode: 


CLI (fw-addr-collect)> [no] address-range <value> 
value can be a reference to an address collection, a host IP address, a network address (IP address / 
prefix length) or an IP address range (start IP address - end IP address). 


Use the no form of the command to remove the given address range. 


Then, exit the address collection configuration mode: 


CLI (fw-addr-collect)> exit 
CLI (firewall) > 


10.3.2.5 Service configuration 


To create a new service or edit an existing one and enter in service configuration mode, use the following 
command in firewall configuration mode: 


CLI (firewall)> service <service-name> 
CLI (fw-service) > 
To remove a service from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no service <service-name> 


To create an IP service record, use the following command in service configuration mode: 
CLI (fw-service)> record ip <protocol> 
protocol can be a protocol number or one of the following pre-defined protocol names: ICMP, IGMP, IP, 
TCP, UDP, IPv6, GRE, ESP, AH, OSPF, VRRP, L2TP. 
To remove an IP service record, use the following command in service configuration mode: 


CLI (fw-service)> no record ip <protocol> 


To create a TCP service record with a required destination start port plus optional destination end port and 
a required start port plus optional source end port, use the following command in service configuration 
mode: 


CLI(fw-service)> record tcp dst-port <tcpDstStartPort> [<tcpDstEndPort>] 
src-port <tcpSrcStartPort> [<tcpSrcEndPort>] 





Each TCP port parameter can be any, a port number or one of the following pre-defined port names: bgp, 
echo, ftp, ftpdata, h323, http-alt, https, nntp, smtp, ssh, tacacs, telnet Or www. 


To remove a TCP service record with a required destination start port plus optional destination end port 
and a required start port plus optional source end port, use the following command in service configuration 
mode: 
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CLI(fw-service)> no record tcp dst-port <tcpDstStartPort> 
[<tcpDstEndPort>] sre-port <tcpSrcStartPort> [<tcpSrcEndPort>] 








To create a UDP service record with a required destination start port plus optional destination end port and 
a required start port plus optional source end port, use the following command in service configuration 
mode: 


CLI (fw-service)> record udp dst-port <udpDstStartPort> [<udpDstEndPort>] 
src-port <udpSrcStartPort> [<udpSrcEndPort>] 








Each UDP port parameter can be any, a port number or one of the following pre-defined port names: 
domain, echo, ipsec-nat-t, isakmp, ntp, pop3, radius, router, snmp, snmptrap, syslog, 
tacacs Ortftp. 


To remove a UDP service record with a required destination start port plus optional destination end port 
and a required start port plus optional source end port, use the following command in service configuration 
mode: 


CLI(fw-service)> no record udp dst-port <udpDstStartPort> 
[<udpDstEndPort>] sre-port <udpSrcStartPort> [<udpSrcEndPort>] 








To exit service configuration mode, use the following command in service configuration mode: 


CLI (fw-service)> exit 
CLI (firewall)> 


10.3.2.6 Application Level Gateways — ALG - configuration 


Note: if an ALG is defined, by default all commands are allowed. 


To create a new FTP ALG or edit an existing one and enter in FTP ALG configuration mode, use the 
following command in firewall configuration mode: 


CLI (firewall)> alg ftp <alg-name> 
CLI (fw-alg-ftp) > 


To remove a FTP ALG from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no alg ftp <alg-name> 


To allow the given commands, use the following command in FTP ALG configuration mode: 





CLI (fw-alg-ftp)> allow command [write-file] [read-file] [list-dir] 
[create-dir] [remove-dir] [change-dir] [passive-mode] [all] 
To deny the given commands, use the following command in FTP ALG configuration mode: 
CLI (fw-alg-ftp)> deny command [write-file] [read-file] [list-dir] 
[create-dir] [remove-dir] [change-dir] [passive-mode] [all] 
Use the following command in FTP ALG configuration mode to enable (default) or disable the FTP ALG: 
CLI (fw-alg-ftp)> enable 
CLI (fw-alg-ftp)> disable 
Then, exit the FTP ALG configuration mode: 


CLI (fw-alg-ftp)> exit 
CLI (firewall)> 





To create a new TFTP ALG or edit an existing one and enter in TFTP ALG configuration mode, use the 
following command in firewall configuration mode: 


CLI (firewall)> alg tftp <alg-name> 
CLI (fw-alg-tftp) > 
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To remove a TFTP ALG from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no alg tftp <alg-name> 


To allow the given commands, use the following command in TFTP ALG configuration mode: 
CLI (fw-alg-tftp)> allow command [write-file] [read-file] [all] 


To deny the given commands, use the following command in TFTP ALG configuration mode: 


CLI (fw-alg-tftp)> deny command [write-file] [read-file] [all] 


Use the following command in TFTP ALG configuration mode to enable (default) or disable the TFTP ALG: 
CLI (fw-alg-tftp)> enable 
CLI (fw-alg-tftp)> disable 

Then, exit the TFTP ALG configuration mode: 


CLI (fw-alg-tftp)> exit 
CLI (firewall) > 








To define a default ALG used when a policy rules' action is inspect and no specific ALG is referenced, 
use the following command in firewall configuration mode: 


CLI (firewall)> alg default { ftp | tftp | sip | h323 } enable 


To remove the default ALG, use the following command in firewall configuration mode: 
CLI (firewall)> alg default { ftp | tftp | sip | h323 } disable 


10.3.2.7 Maximum number of connections configuration 


To set the maximum number of connections for the firewall, use the following command in firewall 
configuration mode: 


CLI (firewall)> max-connections <max-—connections> 
max-connections ranging from 1000 to 10000 (default 1000) is used to limit the number of connections 


the firewall will accept. Note that the change of the maximum number of connections is only taken into 
account after a reboot of the device; an information message is displayed in that case. 


To default the maximum number of connections (to 1000), use the following command in firewall 
configuration mode: 


CLI (firewall)> default max-connections 
10.3.2.8 Parameter set configuration 


To create a new parameter set or edit an existing one and enter in parameter configuration mode, use the 
following command in firewall configuration mode: 


CLI (firewall)> parameter <parameter-—name> 
CLI (fw-params) > 
To remove a parameter set from the firewall, use the following command in firewall configuration mode: 


CLI (firewall)> no parameter <parameter-name> 


To set the maximum number of connections per rule (default is 0), use the following command in 
parameter configuration mode: 





CLI (fw-params) > max-conns-—per-rule <max-conns-—per-rule> 


To return to the maximum number of connections default value, use the following command in parameter 
configuration mode: 


CLI(fw-params)> default max-conns-per-rule 
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To set the general timeout in seconds (default is 60s), use the following command in parameter 
configuration mode: 


CLI (fw-params)> timeout <timeout> 
To return to the general timeout default value, use the following command in parameter configuration 
mode: 


CLI (fw-params)> default timeout 


To set the TCP connection timeout in seconds (default is 86400s), use the following command in 
parameter configuration mode: 


CLI (fw-params) > tcp connection-timeout <1. .4294967295> 
To return to the TCP connection timeout default value, use the following command in parameter 
configuration mode: 


CLI (fw-params)> default tcp connection-timeout 


To set the TCP FIN-RST timeout in seconds (default is 5s), use the following command in parameter 
configuration mode: 


CLI (fw-params)> tep fin-rst-timeout <1. .4294967295> 
To return to the TCP FIN-RST timeout default value, use the following command in parameter 
configuration mode: 


CLI (fw-params)> default tcp fin-rst-—timeout 


To set the TCP watch timeout in seconds (default is 30s), use the following command in parameter 
configuration mode: 


CLI (fw-params)> tcp watch-timeout <1. .4294967295> 


To return to the TCP watch timeout value, use the following command in parameter configuration mode: 





CLI (fw-params)> default tcp watch-timeout 


To set the ICMP timeout in seconds, use the following command in parameter configuration mode: 


CLI (fw-params)> icmp timeout <timeout> 


To return to the ICMP timeout default value, use the following command in parameter configuration mode: 


CLI (fw-params)> default icmp timeout 


To set the UDP timeout in seconds (default is 60s), use the following command in parameter configuration 
mode: 


CLI (fw-params)> udp timeout <1. .4294967295> 


To return to the UDP timeout default value, use the following command in parameter configuration mode: 


CLI (fw-params)> default udp timeout 


To set the UDP watch timeout in seconds (default is 5s), use the following command in parameter 
configuration mode: 


CLI (fw-params)> udp watch-timeout <1. .4294967295> 
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To return to the UDP watch timeout default value, use the following command in parameter configuration 
mode: 


CLI (fw-params)> default udp watch-timeout 


To enable stealth mode on deny (default is off), use the following command in parameter configuration 
mode: 


CLI (fw-params)> stealth on-deny 


To disable stealth mode on deny, use the following command in parameter configuration mode: 





CLI (fw-params)> no stealth on-deny 
To enable stealth mode on drop (default is on), use the following command in parameter configuration 
mode: 


CLI (fw-params)> stealth on-drop 


To disable stealth mode on drop, use the following command in parameter configuration mode: 


CLI (fw-params)> no stealth on-drop 


To enable stealth mode on TCP error (default is off), use the following command in parameter 
configuration mode: 


CLI (fw-params)> stealth on-tcp-error 


To disable stealth mode on TCP error, use the following command in parameter configuration mode: 


CLI (fw-params)> no stealth on-tcp-error 


To exit parameter configuration mode, use the following command in parameter configuration mode: 


CLI (fw-params)> exit 


10.3.2.9 Logging configuration 


Note: for all logging commands the logging default destination is messages. 


To enable logging for the specified ALG name or for all ALG names, use the following command in firewall 
configuration mode: 


CLI (firewall)> logging alg { all | ftp | tftp | sip | h323 } 
To disable logging of one of the listed ALGs or all ALGs, use the following command in firewall 
configuration mode: 

CLI (firewall)> no logging alg { all | ftp | tftp | sip | h323 } 
To enable detailed ALG logging to one of the listed destinations with priority level equal or higher than the 
given level, use the following command in firewall configuration mode: 


CLI(firewall)> logging alg destination { syslog | messages | console } 
level { emergency | alert | critical | error | warning | notice 
| informational | debug | default } 


To disable ALG logging to the specified destination, use the following command in firewall configuration 
mode: 

CLI (firewall)> no logging alg destination { syslog | messages | console } 
To default the ALG logging (to none), use the following command in firewall configuration mode. The 


optional destinations parameter resets to level warning the firewall ALG logging destinations (syslog, 
messages and console). 


CLI (firewall)> default logging alg [destinations] 
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To enable logging of the specified attack type or for all known attack types, use the following command in 
firewall configuration mode: 


CLI(firewall)> logging attack { all | syn-flooding | Ping-of-death 
| ip-spoofing | win-nuke | ip-option | tcp-probe } 
To disable logging of the specified attack type or of all attack types, use the following command in firewall 
configuration mode: 
CLI(firewall)> no logging attack { all | syn-flooding | ping-of-—death 
| ip-spoofing | win-nuke | ip-option | tcp-probe } 
To enable detailed attack logging to the specified destination with priority level equal or higher than the 
given level, use the following command in firewall configuration mode: 


CLI (firewall)> logging attack destination { syslog | messages | console } 
level { emergency | alert | critical | error warning | notice 
| informational | debug | default } 


To disable attack logging to the specified destination, use the following command in firewall configuration 
mode: 
CLI(firewall)> no logging attack destination { syslog | messages 


| console } 


To default the attacks logging (to none), use the following command in firewall configurations mode. The 
optional destinations parameter resets to level warning the firewall attack logging destinations (syslog, 
messages and console). 


CLI (firewall)> default logging attack [destinations] 


To enable logging of the specified configuration message or of all configuration messages, use the 
following command in firewall configuration mode: 


CLI (firewall)> logging configuration { all | reconfig | config-error } 
To disable logging of the specified configuration message or of all configuration messages, use the 
following command in firewall configuration mode: 

CLI (firewall)> no logging configuration { all | reconfig | config-error } 
To enable detailed configuration messages logging to the specified destination with priority level equal or 
higher than the given level, use the following command in firewall configuration mode: 


CLI(firewall)> logging configuration destination { syslog | messages 
| console } level { emergency | alert | critical | error | warning 
| notice | informational | debug | default } 


To disable configuration logging to the specified destination, use the following command in firewall 
configuration mode: 
CLI (firewall)> no logging configuration destination { syslog | messages 


| console } 


To default configuration messages logging (to configuration errors), use the following command in firewall 
configuration mode. The optional destinations parameter resets to level warning the configuration 
messages logging destinations (syslog, messages and console). 


CLI (firewall)> default logging configuration [destinations] 


To enable logging of the specified general messages or of all general messages, use the following 
command in firewall configuration mode: 


CLI (firewall)> logging general { all | system-errors | memory } 
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To disable logging of the specified general message or of all general messages, use the following 
command in firewall configuration mode: 


CLI (firewall)> no logging general { all | system-errors | memory } 


To enable detailed logging of general messages to the specified destination with priority level equal or 
higher than the given level, use the following command in firewall configuration mode: 


CLI (firewall)> logging general destination {syslog | messages | console } 
level { emergency | alert | critical | error | warning | notice 
| informational | debug | default } 


To disable general messages logging to the specified destination, use the following command in firewall 
configuration mode: 


CLI(firewall)> no logging general destination { syslog | messages 


| console } 


To default the general messages logging (to none), use the following message in firewall configuration 
mode. The optional destinations parameter resets to level warning the general messages logging 
destinations (syslog, messages and console). 


CLI(firewall)> default logging general [destinations] 


To enable logging of the specified event or for all traffic related events, use the following command in 
firewall configuration mode: 


CLI(firewall)> logging traffic { all | connection | drop-policy 
| implicit-—deny | half-open-connection | packet } 
To disable logging of the specified traffic related event or of traffic related events, use the following 
command in firewall configuration mode: 
CLI(firewall)> no logging traffic { all | connection | drop-policy 
| implicit-—deny | half—-open-connection | packet } 
To enable detailed traffic logging to the specified destination with priority level equal or higher than the 
given level, use the following command in firewall configuration mode: 


CLI (firewall)> logging traffic destination { syslog | messages | console} 
level { emergency | alert | critical | error | warning | notice 
| informational | debug | default } 


To disable traffic logging to the specified destination, use the following command in firewall configuration 
mode: 
CLI(firewall)> no logging traffic destination { syslog | messages 


| console } 


To default the traffic logging (to none), use the following command in firewall configuration mode. The 
optional destinations parameter resets to level warning the traffic logging destinations (syslog, 
messages and console). 


CLI (firewall)> default logging traffic [destinations] 


To default all logging criteria (to their default values — see above), use the following command in firewall 
configuration mode: 


CLI (firewall)> default logging 
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10.4 ZONE-BASED FIREWALL STATISTICS 


At any stage of the configuration, information about the firewall(s) can be displayed. 


To limit the output of the firewall show commands, you can define a filter, so the output will be filtered, and 
only information for that specified firewall will be displayed. 


CLI> firewall display-filter <filter-name> 


Use the following command to display the currently active display-filter: 


CLI> show firewall display-filter 


To display configuration information related to the firewall, use the following command: 


CLI> show firewall config [<firewall-name>] 


If no firewall name is specified, configuration information for all firewalls is displayed (possibly filtered by 
the firewall display-filter). If a firewall name is specified, configuration information for the specified firewall 
is displayed (in this case, the display-filter is ignored). 


The configuration shown in this way is the same as what is shown in the show running-config 
command, except that sequence numbers are added to policy rules and filter rules. This allows you to 
insert rules in between existing rules. 


To display information on the policy database, use the following command: 


CLI> show firewall policy-database [detail] [legend] [zone-pair <name>] 


Adding the keyword detail will give you much more detailed information on the database. As it uses 
numbers or characters (depending on displaying detailed information or not) for the status information, it 
might be useful to add the keyword legend, which will add the legend at the beginning of the output. To 
limit the output to a single zone-pair, especially useful when displaying detailed information, you can 
specify it with name. 


CLI> show firewall policy-database legend 


1: deleted 

2: source zone incomplete 

4: destination zone incomplete 

8: outbound nat incomplete 

10: policy incomplete 
20: policy rules incomplete. For more info: show firewall policy-database detail 
40: internal 


Firewall demosetup 


zone-pair src-zone dst-zone policy nat status ref-cnt nr sys-up-time 
corp2dmz corporate dmz corp2dmz - 20 4 3 Od 00:00:10 
corp2int corporate internet corp2int - 20 0 3 Od 00:00:10 
dmz2corp dmz corporate dmz2corp — 0 1 3 Od 00:00:10 
dmz2int = internet dmz2int = 22 0 2 Od 00:00:10 
int2dmz internet dmz = 7 10 0 2 Od 00:00:07 
int2manag internet management int2manag - 20 0 3 Od 00:00:09 
internal corporate management internal - 40 0 0 Od 00:00:07 
internal dmz management internal - 40 Al 0 Od 00:00:07 
internal management corporate internal - 40 0 0 Od 00:00:07 
internal management dmz internal - 40 0 0 Od 00:00:07 
internal management internet internal - 40 0 0 Od 00:00:07 


We see for zone-pair corp2dmz, the status indicates incomplete policy rules; we can display a more 
detailed listing (see below). Note that even though the policy rules are incompletes, the policy can be used 
and traffic is going over it (the incomplete rules are simply disregarded as if they are not in the 
configuration). 


CLI> show firewall policy-database detail legend zone-pair corp2dmz 


Advanced IP User Guide Page 10.4-127 of 130 


ONEOS V4.3R4 /V5.1R3 ADVANCED IP USER GUIDE (EDITION 10) 


NNO MNDDOUVASERePMHAAOM P+ 


match -: no match 

action incomplete 

alg incomplete 

deleted 

destination address collection incomplete 
filter incomplete 

filter rules incomplete 

internal 

parameter set incomplete 

inbound nat incomplete 

outbound nat incomplete 

policy incomplete 

policy rules incomplete 

service incomplete 

source address collection incomplete 
destination zone incomplete 

source zone incomplete 


Firewall demosetup 


zone-pair:corp2dmz_3 Od 00:00:10 status:normal ref-cnt:2 processed/applied/connections:4/4/8 packets/octets:7617/309663 


src-zone corporate status:normal 
dst-zone dmz status:normal 
policy:corp2dmz Od 00:00:10 status:normal ref-cnt:0 processed/applied/connections:4/4/8 packets/octets:7617/309663 
rule:allowssh_1 0d 00:00:08 status:normal ref-cnt:0 processed/applied/connections:4/0/0 packets/octets:0/0 
filter:ssh(+) Od 00:00:08 status:normal ref-cnt:0 processed/applied/connections:4/0/0 packets/octets:0/0 
mode any 
rule:matchssh_0 0d 00:00:08 status:normal ref-cnt:0 processed/applied/connections:4/0/0 packets/octets:0/0 
service (+) 
protocol src-port dst-port 
6 0 - 65535 22 - 22 
rule:allowtelnet_1 Od 00:00:08 status:normal ref-cnt:1 processed/applied/connections:4/1/1 packets/octets:358/14441 
filter:telnet (+) Od 00:00:08 status:normal ref-cnt:1 processed/applied/connections:4/1/1 packets/octets:358/14441 
mode any 
rule:matchtelnet_0 Od 00:00:08 status:normal ref-cnt:1 processed/applied/connections:4/1/1 packets/octets:358/14441 
service (+) 
protocol src-port dst-port 
6 0 — €5535 23 = 23: 
rule:allowftp_2 0d 00:00:10 status:normal ref-cnt:0 processed/applied/connections:3/2/6 packets/octets:7024/281122 
filter:ftp(+) Od 00:00:09 status:normal ref-cnt:0 processed/applied/connections:3/2/6 packets/octets:7024/281122 
mode any 
rule:matchftp_0 0d 00:00:09 status:normal ref-cnt:0 processed/applied/connections:3/2/6 packets/octets:7024/281122 
service (+) 


protocol src-port dst-port 
6 0 - 65535 21 - 21 
alg ftp:ftpall 0d 00:13:35 status:normal ref-cnt:0 
write-file read-file list-dir create-dir remove-dir change-dir passive-mode 
allow allow allow allow allow allow allow 


rule:allowweb_1 0d 00:00:09 status:normal ref-cnt:0 processed/applied/connections:1/0/0 packets/octets:0/0 
filter:web(+) Od 00:00:09 status:normal ref-cnt:0 processed/applied/connections:1/0/0 packets/octets:0/0 
mode any 
rule:matchweb_2 0d 00:00:09 status:normal ref-cnt:0 processed/applied/connections:1/0/0 packets/octets:0/0 
service:web(+) status:normal 


protocol src-port dst-port 
6 0 =. 65535. :80 - 80 
6 0 - 65535 8080 - 8080 


If logging is configured to send messages to the message table, these messages can be displayed with 
the following commands: 


CLI> show firewall log-messages 
firewall: demosetup 

(Od 00:02:37) {006} TRAFFIC:NOTIC:CONN_TIMEOUT: id 15 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(0d 00:02:50) {007} CONFIG :ERROR: INCOMPL_POLICYRULE: denyall 

(0d 00:02:50) {008} CONFIG :ERRO. NCOMPL_POLICYRULE: denyall 

(0d 00:02:50) {009} CONFIG :ERRO. NCOMPL_ZONEPAIR: dmz2int 

(0d 00:02:50) {010} CONFIG :ERRO. NCOMPL_POLICYRULE: denyall 

(0d 00:02:50) {011} CONFIG :ERRO. NCOMPL_ZONEPAIR: int2dmz 

(0d 00:02:50) {012} CONFIG :ERRO. NCOMPL_POLICYRULE: denyall 

(Od 00:02:52) {013} TRAFFIC:NOTI ONN_CREATE: id 16 sre 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:00) {014} TRAFFIC:NOTIC:CONN_TIMEOUT: id 16 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:00) {015} TRAFFIC:NOTIC:CONN_CREATE: id 17 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:08) {016} TRAFFIC:NOTIC:CONN_TIMEOUT: id 17 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:15) {017} TRAFFIC:NOTIC:CONN_CREATE: id 18 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:24) {018} TRAFFIC:NOTIC:CONN_TIMEOUT: id 18 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:29) {019} TRAFFIC:NOTIC:CONN_CREATE: id 19 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 
(Od 00:03:40) {020} TRAFFIC:NOTIC:CONN_TIMEOUT: id 19 src 192.168.2.3 dst 192.168.2.255 prot udp srcPort 137 dstPort 137 





If you only want to see the log-messages for configuration, you can use the following command: 


CLI> show firewall config-—messages 
firewall: demosetup 


seq-nr time msg-id severity message 
7 Od 00:02:50 INCOMPL_POLICYRULE ERROR denyall 

8 Od 00:02:50 INCOMPL_POLICYRULE ERROR denyall 

9 Od 00:02:50 INCOMPL_ZONEPAIR ERROR dmz2int 

10 Od 00:02:50 INCOMPL_POLICYRULE ERROR denyall 

11 Od 00:02:50 INCOMPL_ZONEPAIR ERROR int2dmz 

12 Od 00:02:50 INCOMPL_POLICYRULE ERROR denyall 


A short overview of which zone is defined on which interface, use the following command: 


CLI> show firewall interfaces 
firewall: demosetup 
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name zone 
FastEthernet 0/0 corporate 
FastEthernet 0/3 dmz 

FastEthernet 1/0 internet 


Use the following to display info on the existing flows for the firewall(s): 


CLI> show firewall flows [detail] [conn-id <id>] 


CLI> show firewall flows 
firewall: demosetup 


src-zone dst-zone sxrc-address dst-address prot src-prt dst-prt timeout packets 

> corporate dmz 192.168.1.1 192.168.2.2 tcp 2031 telnet 00d 23:59:59 114 
< dmz corporate 192.168.2.2 192.168.1.1 tcp telnet 2031 00d 23:59:59 116 
> corporate dmz 192.168.1.1 192.168.2.3 icmp — = 00d 00:00:59 124 
< dmz corporate 192.168.2.3 192.168.1.1 icmp — = 00d 00:00:59 124 
> corporate dmz 192.168.1.1 192.168.2.3 tcp 2072 ftp 00d 23:59:43 10 

> dmz corporate 192.168.2.2 192.168.1.1 udp 1028 2082 00d 00:00:59 301 
< corporate dmz 192.168.1. 192.168.2.2 udp 2082 1028 00d 00:00:59 304 


conn-id alg-id 
38 - 
38 7 
42 = 
42 =; 
50 = 


58 tftp 
58 tftp 


Adding the keyword detail will give you more detailed information on the flows. Especially in that case, it 
might be useful to specify a single connection by using id to limit the output to the desired connection. 


CLI> show firewall flows detail conn-id 56 

firewall: demosetup 

> src-intf=FastEthernet 0/0, src-zone=corporate, dst-intf=FastEthernet 0/3, dst-zone=dmz 
src-address=192.168.1.1, dst-address=192.168.2.3 


age=0d 00:00:21, timeout=0d 23:59:59, mode=FA, conn-id=56, alg-id=ftp:54, packets/octets=5251/210052 
zone-pair=corp2dmz, policy=corp2dmz, policy-rule=allowftp, filter=ftp, filter-rule=matchftp 
prot=tcp, src-port=2079, dst-port=3708, state=established, seq-nr=316472412, acked-nr=316472412 


< src-intf=FastEthernet 0/3, src-zone=dmz, dst-intf=FastEthernet 0/0, dst-zone=corporate 
src-address=192.168.2.3, dst-address=192.168.1.1 


age=0d 00:00:21, timeout=0d 23:59:59, mode=RA, conn-id=56, alg-id=ftp:54, packets/octets=10658/15611056 
zone-pair=corp2dmz, policy=corp2dmz, policy-rule=allowftp, filter=ftp, filter-rule=matchftp 
prot=tcp, src-port=3708, dst-port=2079, state=established, seq-nr=4061000540, acked-nr=4060997620 


vxTarget>sh firewall flows detail conn-id 58 


firewall: demosetup 
> src-intf=FastEthernet 0/3, src-zone=dmz, dst-intf=FastEthernet 0/0, dst-zone=corporate 
src-address=192.168.2.2, dst-address=192.168.1.1 


age=0d 00:00:21, timeout=0d 00:00:59, mode=FA, conn-id=58, alg-id=tftp, packets/octets=489/15648 
zone-pair=dmz2corp, policy=dmz2corp, policy-rule=allowtftp, filter=tftp, filter-rule=matchtftp 


prot=udp, src-port=1028, dst-port=2082 
< src-intf=FastEthernet 0/0, src-zone=corporate, dst-intf=FastEthernet 0/3, dst-zone=dmz 
src-address=192.168.1.1, dst-address=192.168.2.2 


age=0d 00:00:21, timeout=0d 00:00:59, mode=RA, conn-id=58, alg-id=tftp, packets/octets=490/266560 
zone-pair=dmz2corp, policy=dmz2corp, policy-rule=allowtftp, filter=tftp, filter-rule=matchtftp 


prot=udp, src-port=2082, dst-port=1028 


Statistics on number of packets, connections and fragmentation can be displayed by the following 


command: 


CLI> show firewall statistics 
firewall: demosetup 


packets 
processed: 34455 
passed : 34448 


dropped : 0 
rejected : 7 
invalid interface 
no policy : 
no connection setup: 
protocol 
alg 
bandwidth 
connections 
created : 68 
closed : 10 
timed out: 55 
fragments 
fragmented packets: 
fragments received: 
cached fragments 
lost fragments 


SCONUOCO 


ooOoCo°o 
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11 OPEN SOURCE SOFTWARE 


The OneAccess Operating System (OneOS) includes source code covered by the GNU General Public 
License (GPL) terms and conditions. As a result the OneOS distribution terms allow distribution in source 
code form of the software library named hereafter: 


e Zebra routing software, Copyright (C) 2000 Kunihiro Ishiguro. 


e 4.4BSD software, Copyright (C) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The 
Regents of the University of California. All rights reserved. 


The GPL files can be obtained by connecting to the following URL: http://www.oneaccess- 
net.com/en/fsoft/fsoft.htm!l. OneAccess is committed to provide the sources on request for 3 years after 
time of purchase of the product. 
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